Google Project Zero has disclosed a pair of unpatched Windows vulnerabilities after the expiration of its 90-day deadline. Microsoft said it will patch one bug in February, and both sides agree the second does not merit a security bulletin.