Security Advisor

Google Pulls Curtain Back on Windows 8.1 Zero-Day Flaw

Microsoft said it is currently finishing up on a fix.

Google last week released information on vulnerability in Microsoft's latest OS that could allow malicious applications from bypassing Windows' built-in security features and gain the same permission levels as an administrator.

The elevation of privilege flaw was discovered by Google's Project Zero security group -- an initiative that started last summer and works towards finding possible attack targets not only in its own products and services, but those from other third-party vendors. The Windows 8.1 hole was discovered over three months ago, but, as is policy with the group, Google only alerted Microsoft at first.

However, after 90 days had expired and no patch was released, the Google security team publicly released details online on Dec. 29.

"On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created," wrote Google in a research message board posting. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext."

While Google's disclosure means that the flaw could potentially be used by attackers, the actual level of the threat is relatively low due to a system needing to be previously infected by malware.

In response to the public disclosure, Microsoft released the following statement: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

While Google has not tested to see if the bug exists in any other versions of Windows, Project Zero said that it may also exist in Windows 7. Along with releasing a summary of the vulnerability, Google also released proof-of-concept code on the flaw.

Even though the flaw is relatively minor, and would take quite a bit of work to exploit, some are questioning whether or not the 90-day disclosure rule gives vendors enough time.

Security expert Chester Wisniewski of Sophos argues that both the 90 day time limit and the recent issues Microsoft has had with shipping properly functioning fixes should have put pressure on Google to give Microsoft more time to address the flaw. And these factors, coupled with the manner in which Google alerted the public, leads Wisniewski to believe the release was done more to embarrass Microsoft and was not done out of concern for the general public.

"The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability," wrote Wisniewski. "In my book, that's not compatible with behaviour that is allegedly in the public interest."

What's your take? Is 90 days enough time for companies to address found issues? And should disclosure come packaged with proof-of-concept code?

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Issues Windows Server HTTP/2 Attack Advisory

    Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.

  • Performing a Storage Refresh on Windows Server 2016, Part 2

    Earlier, Brien walked through the steps of preparing a physical Windows Server 2016 machine for a storage refresh. Now, he shows how to complete the process, all the way to OS restoration.

  • New Office App Coming to Windows 10 Users

    Microsoft is delivering a new Office app for Windows 10 consumer and business users over the new few weeks, according to a Wednesday announcement.

  • Microsoft Warns .NET Core 1.0 and 1.1 Losing Support in June

    Microsoft gave notice this week that .NET Core 1.0 and 1.1 will fall out of support on June 27, 2019.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.