Microsoft has been attacked by Google's Project Zero security unit after the software giant had to pull its monthly Patch Tuesday last week.
The patches were expected to deliver security fixes for a long-running series of flaws that Microsoft claimed had been patched last year, but which Google's Project Zero claimed hadn't been properly fixed.
Microsoft pulled its February Patch Tuesday at the eleventh hour last week, claiming that one of the bug fixes might cause problems on some systems.
Google claims that it has uncovered multiple bugs affecting the Windows Graphics Component GDI library (gdi32.dll), which the company suggests could be used by an attacker to use EMF meta-files to access memory and, hence, to spill data.
While Microsoft issued a Security Bulletin (MS16-074) and patches to excise the bug back in June 2016, Google's Mateusz Jurczyk suggested that the Bulletin didn't fully fix the problem and described new exploits he had developed back in November, when Microsoft was also informed.
Jurczyk provided a detailed explanation of the security flaws on the Project Zero bulletin board. However, because no fix was forthcoming within the strict three-month deadline, Google published details of the security flaws over the weekend.
Indeed, Google's Project Zero has a no-ifs, no-buts policy of disclosing vulnerabilities within 90 days of reporting them to the vendor: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public," warns Project Zero
It is not the first time that Google has embarrassed Microsoft over security patches. In 2015, Project Zero twice went public on flaws in Windows, with Microsoft reportedly "begging" for more time to fix the second one after flunking the deadline on the first.
The very shaming of Microsoft helped encourage it to issue a mega-patch the next month.
Microsoft's decision to roll-up all patches into one mega-patch - making it all the easier to wrap-up unwanted updates into necessary security updates - may also have meant that the whole patch release had to be postponed when late problems were found with one of the patches.
Ecostress instrument will provide new insights into water usage and plant health on Earth
Chinese cyber espionage group Thrip targeting satellite communications, telecoms and defence companies
Symantec warning over state-sponsored hackers targeting satellite operators' control systems
Letter to House of Commons Treasure Committee explains cause of payments glitch earlier this month
Would you want to live in a world without memes?