Security Experts:

Connect with us

Hi, what are you looking for?



Google Discloses Unpatched Windows 8.1 Vulnerability

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.

The security hole was reported to Microsoft on September 30, 2014, by Google’s Project Zero initiative. According to Project Zero’s disclosure policy, the details of a bug automatically become visible to the public after 90 days even if a patch hasn’t been made available, which is exactly what happened in this case.

“On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext,” Google noted in its September 30 advisory.

“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” the advisory continues.

The PoC published by Google leverages the User Account Control (UAC) feature in Windows, but researchers have pointed out that this isn’t a flaw in UAC.

The PoC has been tested on both the 32-bit and the 64-bit versions of Windows 8.1, which in December 2014 had a desktop operating system market share of 9.49%, according to It’s possible that the attack works on Windows 7 as well, but no tests have been conducted, researchers said.

While some experts agree with Project Zero’s vulnerability disclosure policy, arguing that 90 days is more than enough for a vulnerability to be fixed, others believe Google has put users at risk.

In response to critics, Project Zero researcher Ben Hawkes noted that the company will be monitoring the effects of the current policy, but pointed out that most of the reported vulnerabilities have been fixed under the deadline.

“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Hawkes said last week.

Microsoft says it’s working on an update that would address the security hole. However, the company has highlighted that an attacker needs valid login credentials for the targeted device in order for the attack to work. Microsoft will release its next round of Patch Tuesday security updates on January 13.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.