Security Team Project Zero Exposure: Microsoft released the patch did not completely fix the Windows vulnerability

Google Project Zero information security team, specifically responsible for looking for a variety of software security vulnerabilities, and Windows has become a key “care object.”After several controversial loopholes in the public, the Google team once again disclosed the Windows system to access the kernel storage security vulnerabilities. The vulnerability was discovered by the Project Zero team in March of this year, which also exists in other company software products, including Google, which Microsoft has fixed in Tuesday’s Patch Tuesday event.

Project Zero reports to the software vendor after the discovery of the vulnerability and is fully announced after 90 days. Although the Microsoft has fixed the vulnerability for a limited period of time, the Project Zero team said Microsoft is not completely correct. In this regard, Microsoft admitted that there are still problems. The vulnerability allows anyone to access the kernel store. In the nt!NtNotifyChangeDirectoryFile subsystem on Windows systems, it is reported that an attacker can view and access an uninitialized memory pool in user mode due to an output mechanism.

Google said the vulnerability could allow an attacker who had already gained local authority to bypass some of the vulnerability protection measures (Kernel ASLR) and read other partitioned content in the kernel address space. Google has reminded Microsoft, Windows 7 to 10 users are still able to exist this vulnerability. Microsoft is expected to fix it next Tuesday’s patch Tuesday. Up to now, the security level of the vulnerability has been marked as “medium”.