Google finds 'severe' bug in MS Windows

Google researchers accused of being "reckless" for disclosing flaw before Microsoft has patched it.

Google finds 'severe' bug in MS Windows
Google finds 'severe' bug in MS Windows

Google has found a ‘severe' privilege escalation bug in Microsoft Windows but has been called “reckless” for revealing the vulnerability before Microsoft has patched it.

Google's Project Zero security research team said in a blog last week that the flaw is in both 32-bit and 64-bit versions of Windows 8.1 update.

The bug is in the code that allows application compatibility data to be cached for quick re-use. Only administrators should be able to add new cached entries, but the flaw means users can bypass the check on whether they are actually admins.

Google gives the bug a rating of “high severity” and says: “It is just a case of finding a way to exploit the vulnerability. The trick would be finding a suitable pre-existing app compatibility configuration to abuse.”

Google also warns it is not clear whether the flaw also affects Windows 7 systems as these have not been checked.

The company first identified the problem in September and alerted Microsoft. But its Project Zero scheme has an automatic 90-day deadline for revealing flaws – and so Google published its findings last week even though Microsoft has not yet patched the problem.

This has attracted some strong criticism, with UK-based cyber-security expert Paco Hope, principal consultant at Cigital, criticising the strict 90-day disclosure deadline as “reckless”.

He told SCMagazineUK.com via email: “Rigid deadlines that are followed blindly are not good for anybody. If this was given 116 days (or similar) instead of 90, no-one would have suffered. Pressuring vendors to fix bugs makes sense, but setting and forgetting on vulnerability disclosure is unnecessarily reckless.”

Graeme Batsman, security director of EncSec, gave Google some credit but was still critical. He told SCMagazineUK.com via email: “Often if a company which has been breached or has a flaw ignores you, no other option exists. Though maybe the 90-day timer could require manual review so a ‘risk assessment' could be done.

“Failing that, if they would have sent out a press release maybe the full details could be stripped so Microsoft could contact them for the details - thus saving all the bad guys close to New Year's Eve knowing all.”

Reader reaction to the blog itself was also mixed, with one commentator saying: “Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google.”

But other users said “Kudos to Google for sticking to its deadline” and: “Maybe there is someone already exploiting this vulnerability even before this was posted. I think it is a good thing to make it public to generate some pressure on the developer/manufacturer to fix its products.”

In response, Google confirmed it reported the issue to Microsoft on 30 September, including its 90-day disclosure deadline.

Google added: “Project Zero's disclosure deadline policy is the result of many years of careful consideration and industry-wide discussions about vulnerability remediation.”

It said it had faith in disclosure deadlines as “the optimal approach for user security” but added: “We're going to be monitoring the effects of this policy very closely.”

Analysing the severity of the vulnerability found, Paco Hope said: “Bugs like this are important, and fairly routine. They become building blocks in more complex, multi-stage attacks that ultimately compromise systems.”

Graeme Batsman said: “Privilege escalation flaws are fairly common and based on the instructions you need for local access to the PC. This would either be by a staff insider, outside infiltrated connection, automated script or drop malicious exe. It is not like something where you can gain access to a random RDP session which is of course far worse due to a publicly visible port (3389).”

Microsoft was contacted for comment but did not reply by time of writing.