Security Advisor
Google Pulls Curtain Back on Windows 8.1 Zero-Day Flaw
Microsoft said it is currently finishing up on a fix.
Google last week released information on vulnerability in Microsoft's latest OS that could allow malicious applications from bypassing Windows' built-in security features and gain the same permission levels as an administrator.
The elevation of privilege flaw was discovered by Google's Project Zero security group -- an initiative that started last summer and works towards finding possible attack targets not only in its own products and services, but those from other third-party vendors. The Windows 8.1 hole was discovered over three months ago, but, as is policy with the group, Google only alerted Microsoft at first.
However, after 90 days had expired and no patch was released, the Google security team publicly released details online on Dec. 29.
"On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created," wrote Google in a research message board posting. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext."
While Google's disclosure means that the flaw could potentially be used by attackers, the actual level of the threat is relatively low due to a system needing to be previously infected by malware.
In response to the public disclosure, Microsoft released the following statement: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
While Google has not tested to see if the bug exists in any other versions of Windows, Project Zero said that it may also exist in Windows 7. Along with releasing a summary of the vulnerability, Google also released proof-of-concept code on the flaw.
Even though the flaw is relatively minor, and would take quite a bit of work to exploit, some are questioning whether or not the 90-day disclosure rule gives vendors enough time.
Security expert Chester Wisniewski of Sophos argues that both the 90 day time limit and the recent issues Microsoft has had with shipping properly functioning fixes should have put pressure on Google to give Microsoft more time to address the flaw. And these factors, coupled with the manner in which Google alerted the public, leads Wisniewski to believe the release was done more to embarrass Microsoft and was not done out of concern for the general public.
"The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability," wrote Wisniewski. "In my book, that's not compatible with behaviour that is allegedly in the public interest."
What's your take? Is 90 days enough time for companies to address found issues? And should disclosure come packaged with proof-of-concept code?