Google beat Microsoft to the punch this week when it published a Windows security vulnerability before Microsoft fixed it. The bug allows lower-level users on Windows 8.1 systems to make themselves system administrators, giving them access to server settings without prior approval.
Google publicized the bug as part of Project Zero, which tracks software flaws and reports them to vendors. Those vendors then get 90 days to fix problems before Project Zero publishes the bug along with code that can be used to exploit it.
Google first notified Microsoft of the bug on Sept. 30, 2014, Engadget reports. Microsoft says it’s still working on a security update, but it also sought to downplay concerns that hackers could use the bug to do serious damage in the meanwhile.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,” Microsoft said in a statement.
All this might sound like Google is picking on a rival company’s software. However, Google says the intent of Project Zero is to encourage software vendors to secure their products quickly — before hackers find the flaws first.
“By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Google said.