Google published the details of a new privilege escalation vulnerability in Windows just as Microsoft was preparing to patch it.
The security hole was reported to Microsoft by Google’s Project Zero initiative in October, and the details of the bug were automatically made available to the public on January 11, after a 90 day disclosure deadline.
“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced,” Google noted in its report.
“However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” the company added.
A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 has been published, but experts have confirmed that the vulnerability also affects Windows 7.
In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, the search giant told Microsoft that the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.
Vulnerability disclosure: Microsoft vs Google
Microsoft is unhappy with Google’s vulnerability disclosure practices, especially since this is the second time this happened in less than a month. In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.
In a blog post published shortly after the details of the second privilege escalation bug were made available, Chris Betz, senior director of Microsoft’s Security Response Center, criticized Google for its practices, arguing that Project Zero should have waited until today (January 13), when Microsoft plans on releasing a security update for the vulnerability, to disclose the flaw.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” Betz said.
Many have criticized Google after it released the details of the first privilege escalation vulnerability before Microsoft could patch it. The search company promised to review its practices, but pointed out that “disclosure deadlines are currently the optimal approach for user security.”
Errata Security’s Robert Graham highlighted in a blog post on Monday that Microsoft is criticizing a vulnerability disclosure policy that’s similar to the one it forced on the industry 10 years ago.
According to Graham, for several years, Microsoft had been in a position that allowed it to control the disclosure of security bugs. Because of this, it took years for some of the reported vulnerabilities to get fixed.
The expert has noted that Google’s disclosure policy applies to its own products as well, but unlike Microsoft, which uses an outdated development process, Google relies on automatic testing, which enables it to release updated versions of its software within 24 hours.
“I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs,” Graham said. “It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”
“But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard,” he added.