Security Experts:

Connect with us

Hi, what are you looking for?



Google Discloses Unpatched Windows 8.1 Vulnerability

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

The security hole was reported to Microsoft on September 30, 2014, by Google’s Project Zero initiative. According to Project Zero’s disclosure policy, the details of a bug automatically become visible to the public after 90 days even if a patch hasn’t been made available, which is exactly what happened in this case.

“On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext,” Google noted in its September 30 advisory.

“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” the advisory continues.

The PoC published by Google leverages the User Account Control (UAC) feature in Windows, but researchers have pointed out that this isn’t a flaw in UAC.

The PoC has been tested on both the 32-bit and the 64-bit versions of Windows 8.1, which in December 2014 had a desktop operating system market share of 9.49%, according to It’s possible that the attack works on Windows 7 as well, but no tests have been conducted, researchers said.

While some experts agree with Project Zero’s vulnerability disclosure policy, arguing that 90 days is more than enough for a vulnerability to be fixed, others believe Google has put users at risk.

In response to critics, Project Zero researcher Ben Hawkes noted that the company will be monitoring the effects of the current policy, but pointed out that most of the reported vulnerabilities have been fixed under the deadline.

“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Hawkes said last week.

Microsoft says it’s working on an update that would address the security hole. However, the company has highlighted that an attacker needs valid login credentials for the targeted device in order for the attack to work. Microsoft will release its next round of Patch Tuesday security updates on January 13.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.