Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Discloses Unpatched Windows 8.1 Vulnerability

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

The security hole was reported to Microsoft on September 30, 2014, by Google’s Project Zero initiative. According to Project Zero’s disclosure policy, the details of a bug automatically become visible to the public after 90 days even if a patch hasn’t been made available, which is exactly what happened in this case.

“On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext,” Google noted in its September 30 advisory.

“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” the advisory continues.

The PoC published by Google leverages the User Account Control (UAC) feature in Windows, but researchers have pointed out that this isn’t a flaw in UAC.

The PoC has been tested on both the 32-bit and the 64-bit versions of Windows 8.1, which in December 2014 had a desktop operating system market share of 9.49%, according to netmarketshare.com. It’s possible that the attack works on Windows 7 as well, but no tests have been conducted, researchers said.

While some experts agree with Project Zero’s vulnerability disclosure policy, arguing that 90 days is more than enough for a vulnerability to be fixed, others believe Google has put users at risk.

In response to critics, Project Zero researcher Ben Hawkes noted that the company will be monitoring the effects of the current policy, but pointed out that most of the reported vulnerabilities have been fixed under the deadline.

Advertisement. Scroll to continue reading.

“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Hawkes said last week.

Microsoft says it’s working on an update that would address the security hole. However, the company has highlighted that an attacker needs valid login credentials for the targeted device in order for the attack to work. Microsoft will release its next round of Patch Tuesday security updates on January 13.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.