Google beat Microsoft to the punch this week when it published a Windows security vulnerability before Microsoft fixed it. The bug allows lower-level users on Windows 8.1 systems to make themselves system administrators, giving them access to server settings without prior approval.
Google publicized the bug as part of Project Zero, which tracks software flaws and reports them to vendors. Those vendors then get 90 days to fix problems before Project Zero publishes the bug along with code that can be used to exploit it.
Google first notified Microsoft of the bug on Sept. 30, 2014, Engadget reports. Microsoft says it’s still working on a security update, but it also sought to downplay concerns that hackers could use the bug to do serious damage in the meanwhile.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,” Microsoft said in a statement.
All this might sound like Google is picking on a rival company’s software. However, Google says the intent of Project Zero is to encourage software vendors to secure their products quickly — before hackers find the flaws first.
“By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Google said.
- Volodymyr Zelensky and the Spirit of Ukraine: TIME's 2022 Person of the Year
- Mickey Guyton Is TIME's 2022 Breakthrough Artist of the Year
- The 10 Best Nonfiction Books of 2022
- Column: What Elon Musk Gets Wrong About Free Speech
- The Forgotten Story of One of the First U.S. Soldiers Killed Overseas After Pearl Harbor
- Why You're More Likely to Get Sick in the Winter, According to New Research
- Column: What the Protests Tell Us About China's Future
- 18 Last-Minute Gifts for Everyone on Your List