Jump to content

Project Zero team has disclosed a new unpatched Windows 8 flaw


steven36

Recommended Posts

Google Project Zero team disclosed a new unpatched vulnerability affecting Windows 8.1 systems unleashing the wrath of Microsoft for its disclosure policy.

The experts at the Google Project Zero team have ethically disclosed the details of an unpatched Windows 8.1 vulnerability reported to Microsoft in September. The team has waited for 90 days before publicly disclose the details of the flaw in compliance with its disclosure policy.

It is the second flaw in Windows 8.1 OS publicly disclosed by the Elite Google Team in a few weeks, also in this case the experts have waited for 90 days before unveil the details of the vulnerability in compliance with its disclosure policy. It is curious to note that in November, Microsoft asked Google to extend the deadline because it was planning to fix the bug in February 2015, but Google refused in compliance with its policy. Microsoft decided to address the vulnerability in January, but Google refused again to extend the disclosure deadline even by two days.

The expert also confirmed that Windows 7 systems are affected by the flaw, the expert also provided a proof-of-concept (PoC) showing how to exploit the security flaw in a real attack on Windows 8.1.

When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced,” reads the report issued by Google.

“However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” the company added.

Microsoft has criticized the Google disclosure policy, Chris Betz, senior director of Microsoft’s Security Response Center, in a blog post the expert explained that there was no reason to disclose the details of the flaw because Microsoft plans on releasing a security update on January 13.


“CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix.” wrote Betz.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” wrote Betz.

It is difficult to express an opinion on the case, despite it is correct to respect the disclosure policy to force company fixing the flaw, it must be also considered a possible tolerance for cases like this, especially when there are technical issues that must be carefully analyzed to avoid regression errors.

Source

Link to comment
Share on other sites


  • Views 1.1k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...