Microsoft has been attacked by Google's Project Zero security unit after the software giant had to pull its monthly Patch Tuesday last week.
The patches were expected to deliver security fixes for a long-running series of flaws that Microsoft claimed had been patched last year, but which Google's Project Zero claimed hadn't been properly fixed.
Microsoft pulled its February Patch Tuesday at the eleventh hour last week, claiming that one of the bug fixes might cause problems on some systems.
Google claims that it has uncovered multiple bugs affecting the Windows Graphics Component GDI library (gdi32.dll), which the company suggests could be used by an attacker to use EMF meta-files to access memory and, hence, to spill data.
While Microsoft issued a Security Bulletin (MS16-074) and patches to excise the bug back in June 2016, Google's Mateusz Jurczyk suggested that the Bulletin didn't fully fix the problem and described new exploits he had developed back in November, when Microsoft was also informed.
Jurczyk provided a detailed explanation of the security flaws on the Project Zero bulletin board. However, because no fix was forthcoming within the strict three-month deadline, Google published details of the security flaws over the weekend.
Indeed, Google's Project Zero has a no-ifs, no-buts policy of disclosing vulnerabilities within 90 days of reporting them to the vendor: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public," warns Project Zero
It is not the first time that Google has embarrassed Microsoft over security patches. In 2015, Project Zero twice went public on flaws in Windows, with Microsoft reportedly "begging" for more time to fix the second one after flunking the deadline on the first.
The very shaming of Microsoft helped encourage it to issue a mega-patch the next month.
Microsoft's decision to roll-up all patches into one mega-patch - making it all the easier to wrap-up unwanted updates into necessary security updates - may also have meant that the whole patch release had to be postponed when late problems were found with one of the patches.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere