Google has published details and a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1.
The security hole was reported to Microsoft on September 30, 2014, by Google’s Project Zero initiative. According to Project Zero’s disclosure policy, the details of a bug automatically become visible to the public after 90 days even if a patch hasn’t been made available, which is exactly what happened in this case.
“On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext,” Google noted in its September 30 advisory.
“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” the advisory continues.
The PoC published by Google leverages the User Account Control (UAC) feature in Windows, but researchers have pointed out that this isn’t a flaw in UAC.
The PoC has been tested on both the 32-bit and the 64-bit versions of Windows 8.1, which in December 2014 had a desktop operating system market share of 9.49%, according to netmarketshare.com. It’s possible that the attack works on Windows 7 as well, but no tests have been conducted, researchers said.
While some experts agree with Project Zero’s vulnerability disclosure policy, arguing that 90 days is more than enough for a vulnerability to be fixed, others believe Google has put users at risk.
In response to critics, Project Zero researcher Ben Hawkes noted that the company will be monitoring the effects of the current policy, but pointed out that most of the reported vulnerabilities have been fixed under the deadline.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response,” Hawkes said last week.
Microsoft says it’s working on an update that would address the security hole. However, the company has highlighted that an attacker needs valid login credentials for the targeted device in order for the attack to work. Microsoft will release its next round of Patch Tuesday security updates on January 13.