Microsoft got a fiery start to 2015 when Google last week publicized a kernel vulnerability in Windows 8.1 Update.
Google Project Zero’s James Forshaw, who discovered the flaw, ranked it as a high-severity issue.
Although Forshaw reported it to Microsoft last September, the company had not yet fixed the problem when Google published it.
The vulnerability lets people falsely pose as administrators.
Microsoft’s tardiness could be due to “anything from competing internal priorities to lost emails,” said Jared DeMott, principal security researcher at Bromium. “But it doesn’t look like something that should take longer than 90 days to fix.”
Details About the Flaw
The “NtApphelpCacheControl” system call in Windows 8.1 Update lets administrators cache application compatibility data for quick reuse when new processes are created. The “AhcVerifyAdminContext” function checks to confirm whether the person trying to cache new data is indeed an administrator.
However, the function does not correctly check the impersonation token level of the person trying to cache new data, Forshaw said. So, it’s possible to get an identify token from a local system process and bypass the check.
Forshaw tested the proof of concept on both the 32-bit and 64-bit versions of Windows 8.1 Update.
The flaw “looks to be a local privilege escalation,” DeMott told TechNewsWorld.
“LPEs have always been nice to have for attackers,” he noted, but now that applications are contained in sandboxes, LPEs “are often the answer to break free of the sandbox to get complex control of the OS after the first exploit.”
Why Publish the Flaw Now?
Forshaw gave Microsoft 90 days to fix the flaw after reporting it Sept. 30.
Microsoft could have moved faster to fix the flaw, given that Forshaw rated it as high severity and taking into account the many data breaches that have occurred in recent months.
“James has a history of working with Microsoft — he was a Microsoft bounty winner,” DeMott pointed out. “They should have taken his submission very seriously; they know who he is.”
Microsoft did not respond to our request to comment for this story.
The Google-Microsoft Flaw War
Google has been going after Microsoft for its tardiness in fixing flaws.
Google’s Tavis Ormandy, in particular, has posted information about several flaws in Windows code over the years. In May 2013, he posted details about one flaw on Seclists.org’s Full Disclosure without notifying Microsoft about it first, triggering a debate in the security industry.
Ormandy also accused Microsoft of being hostile to vulnerability researchers.
Later that month, Google security engineers Chris Evans and Drew Hintz suggested their standard 60-day recommendation — the time companies should get to fix vulnerabilities prior to their publication — be reduced to seven days.
Softly, Softly, Fix Vulnerability?
It could be that Microsoft is taking its time because it wants to get the fix right.
“In this case, 90 days clearly wasn’t enough for Microsoft to feel confident in shipping a well-tested update,” said Sophos’ Chester Wisniewski wrote. Microsoft “has had a bit of a rough time with QA of security updates as of late.”
That said, the flaw is not as severe as it’s made out to be, he suggested.
Victims’ computers must already have been compromised for the vulnerability to work, Wisniewski explained, and putting user account control on its maximum setting will trigger a warning when the flaw kicks in. Further, not logging onto a computer with admin credentials when surfing the Web or performing everyday tasks would eliminate the possibility of UAC bypass.
Still, the threat can’t be discounted, because it’s easy for insiders to take over a company’s servers without the proper authorization, said Jonathan Sander, strategy and research officer for Stealthbits Technologies.
Security executives “know their insiders could own them … easily if they wanted to,” he told TechNewsWorld. “The old balance between convenience and security still leans towards convenience.”
Google declined to comment for this story.