Connect with us

Hi, what are you looking for?



Google Discloses Windows Flaw That Microsoft Failed to Fix

Google has released the details of another Windows vulnerability. Microsoft planned on fixing the flaw with the January updates, but was forced to delay the patch due to compatibility issues.

Google has released the details of another Windows vulnerability. Microsoft planned on fixing the flaw with the January updates, but was forced to delay the patch due to compatibility issues.

The vulnerability disclosure “game” between Microsoft and Google continues. On Thursday, Google disclosed a security bypass/information disclosure bug affecting both Windows 7 and Windows 8.1. The flaw was reported to Microsoft on October 17 and its details were automatically made public after Google’s 90-day disclosure deadline expired.

“The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer. When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag) the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another it supports extracting the logon session id from the impersonation token,” Google Project Zero researcher James Forshaw wrote in an advisory.

“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section,” Forshaw added.

Microsoft informed Google in late October that they had managed to reproduce the issue. The company later told Google that it had planned to release a fix in January, but the patch had to be pulled due to compatibility issues. The vulnerability will likely be addressed in February, Microsoft said.

This is the third Windows vulnerability disclosed by Google before Microsoft could release a fix. After Google published the details for two Windows privilege escalation vulnerabilities, Microsoft criticized the search giant and accused it of putting users at risk.

Google was also criticized by some members of the infosec community for sticking to its 90-day disclosure deadline. The company has promised to review the process, but it believes “disclosure deadlines are currently the optimal approach for user security.”

Advertisement. Scroll to continue reading.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” Chris Betz, senior director of Microsoft’s Security Response Center, wrote in a blog post.

Betz’s response came after Google disclosed the second privilege escalation vulnerability just two days before Microsoft released its Patch Tuesday security updates for January, which address both privilege escalation issues.

“Google is right,” said Errata Security’s Robert Graham. “Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing ‘secure’ software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long. Microsoft either needs to move forward with the times and adopt ‘agile’ methodologies, or just accept its role of milking legacy for the next few decades as IBM does with mainframes.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.