Quote:It looked like Google Project Zero blew its own 90-day disclosure window when, on Wednesday, it disclosed an elevation of privilege (EoP) flaw in Windows that it reported to Microsoft just over a month ago on July 8.
 
But no: It turns out that Microsoft flip-flopped on whether or not it was planning to fix the issue, and the “WontFix” designation flipped the trigger and resulted in Project Zero’s disclosure of details on the flaw.
 
Microsoft initially said that it wasn’t going to bother: On July 18, it told Project Zero that exploitation requires compromising an AppContainer – i.e., a sandbox used to test Windows app security before letting the apps run free – that’s presumably already accessing the internet.
 
Given that, Microsoft said that “it’s a non-issue and they will not fix it,” according to Project Zero security researcher James Forshaw. Then, after further analysis, Microsoft spun on its heel. Yesterday, on Wednesday, the company said that yes, it would be tackling the beast.

As Forshaw recounted in a technical report about the flaw, the researcher basically shrugged at the “can’t be bothered” response from Redmond. It’s still an issue, Forshaw said at the time, given that attackers could still exploit the flaw to sneak in via intranet locations that, otherwise, they wouldn’t typically be able to get at. Nonetheless, a day after Microsoft’s “Won’tFix” response on July 18, Forshaw accepted the company’s choice to ignore the vulnerability.