Microsoft has said it plans to patch a new class of Windows security bug discovered by a Google Project Zero researcher despite finding no conclusive evidence that it poses a threat to users.

The unusual and complicated weakness appears to have been sitting unnoticed in Windows since as far back as XP and will be patched in the next version of Windows 10, currently named 19H1 (aka version 1903).

But if it’s not a clear threat, why patch it at all? For the answer to that, we need to explore the backstory.

According to Project Zero researcher James Forshaw, he first discovered what he assumed was a relatively straightforward kernel-mode drive Elevation of Privileges (EoP) issue in 2016, eventually fixed by Microsoft as CVE-2016-3219.

Following up a year later, however, he realised he’d stumbled upon a larger logic hole that might allow malware running in user mode (which limits privileges) to sneak privileges through the interaction of Microsoft and third-party kernel-mode drivers and the Windows I/O manager subsystem.

However, Forshaw was still unable to create a working proof-of-concept (many aspects of these deeper code interactions are difficult without proprietary knowledge), forcing him to contact Microsoft for help:

This led to meetings with various teams at Bluehat 2017 in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base.