Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Discloses New Unpatched Windows 8.1 Privilege Escalation Flaw

Google published the details of a new privilege escalation vulnerability in Windows just as Microsoft was preparing to patch it.

The security hole was reported to Microsoft by Google’s Project Zero initiative in October, and the details of the bug were automatically made available to the public on January 11, after a 90 day disclosure deadline.

Google published the details of a new privilege escalation vulnerability in Windows just as Microsoft was preparing to patch it.

The security hole was reported to Microsoft by Google’s Project Zero initiative in October, and the details of the bug were automatically made available to the public on January 11, after a 90 day disclosure deadline.

“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced,” Google noted in its report.

“However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” the company added.

A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 has been published, but experts have confirmed that the vulnerability also affects Windows 7.

In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, the search giant told Microsoft that the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.

Vulnerability disclosure: Microsoft vs Google

Microsoft is unhappy with Google’s vulnerability disclosure practices, especially since this is the second time this happened in less than a month. In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.

Advertisement. Scroll to continue reading.

In a blog post published shortly after the details of the second privilege escalation bug were made available, Chris Betz, senior director of Microsoft’s Security Response Center, criticized Google for its practices, arguing that Project Zero should have waited until today (January 13), when Microsoft plans on releasing a security update for the vulnerability, to disclose the flaw.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” Betz said.

Many have criticized Google after it released the details of the first privilege escalation vulnerability before Microsoft could patch it. The search company promised to review its practices, but pointed out that “disclosure deadlines are currently the optimal approach for user security.”

Errata Security’s Robert Graham highlighted in a blog post on Monday that Microsoft is criticizing a vulnerability disclosure policy that’s similar to the one it forced on the industry 10 years ago.

According to Graham, for several years, Microsoft had been in a position that allowed it to control the disclosure of security bugs. Because of this, it took years for some of the reported vulnerabilities to get fixed.

The expert has noted that Google’s disclosure policy applies to its own products as well, but unlike Microsoft, which uses an outdated development process, Google relies on automatic testing, which enables it to release updated versions of its software within 24 hours.

“I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs,” Graham said. “It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”

“But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard,” he added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.