Google Discloses Microsoft Zero Day FlawWindows 8.1 Vulnerability Unfixed After 90 Days, Google Says
(This story has been updated)
See Also: Secure Access in a Hybrid IT World
Microsoft says it's prepping a patch for a vulnerability that exists in Windows 8.1 - and possibly other versions of Windows - that was recently disclosed by Google. The bug report has triggered both praise and condemnation for the 90-day deadline Google gives vendors to patch flaws before it publicly releases full details of a bug.
Microsoft says the flaw spotted by Google's researchers could facilitate a privilege-escalation attack, thus giving an attacker administrator-level access to a system, which could allow them to bypass some security controls and execute malicious code. "We are working to release a security update to address an elevation of privilege issue," Microsoft says in a statement.
The vulnerability, Google says, relates to how a system call "allows application compatibility data to be cached for quick reuse when new processes are created," and that "a normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators." By targeting a vulnerability in that process, however, Google says that an attacker could use a local system process to obtain an administrator-level identity token.
Google's bug report to Microsoft - dated Sept. 30, 2014 - includes a proof-of-concept attack that shows how the vulnerability can be exploited. As of Jan. 5, 2015, 12 out of 55 anti-virus engines tested by the malware-scanning service VirusTotal were flagging the proof-of-concept code as malicious.
But Microsoft points out: "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer."
Google's bug report says the flaw exists at least in Windows 8.1, and in both the 32-bit and 64-bit versions. As of December 2014, Windows 8.1 was running on 9.5 percent of all desktops and laptops, according to market research firm NetMarketShare.
But Google says more versions of Windows may be at risk from the flaw, noting that "no effort has been made to verify it on Windows 7." Microsoft also has yet to detail exactly which versions of its Windows operating systems sport the flaw.
Debating Google's Policies
Google's Sept. 30 bug report to Microsoft included this warning: "If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public." On Dec. 29, the bug report was updated to read: "Deadline exceeded - automatically derestricting."
London-based Fayaz Khaki, associate director of information security for market research firm IDC, notes that the bug detailed by Google "is not a high-priority vulnerability" to fix, because an attacker would need to possess valid log-in credentials before they could exploit the flaw. But he questions Google's deadline. "I think Google's 90-day window to get bugs fixed is aggressive, particularly as Google cannot know the consequence of the potential fix, i.e. what chain reaction does the fix have on the software or user experience? Will the fix have an impact to another part of the software forcing Microsoft to re-engineer more than one part of the software? Will the fix have an impact on the user experience?" he says.
But reaction to Google detailing a previously unknown vulnerability in the most recent version of Windows - prior to Microsoft patching the flaw - has been mixed, at least to judge by the comments posted to Google's bug report.
"This is an incredibly bad policy on auto-disclosure, especially with a deadline over the holiday season," says one commenter. "As the former CEO of a vulnerability assessment firm, this behavior would have you listed as a 'grey hat' immediately for putting the public at harm."
Some, however, have praised Google's policies. "Microsoft had three months to resolve this and were aware of Google's disclosure timeline," says another commenter. "If they chose not to address it, that is their decision. I have waited years (sometimes 4+) for Microsoft to address security issues I reported. A 90-day timeline makes a lot more sense in terms of improving overall security."
Setting deadlines for vendors to acknowledge a bug report and agree to a "coordinated disclosure" date is not uncommon. Vulnerability and patch management vendor Secunia, for example, offers a default six-month window between when it first notifies a vendor of a flaw and when it publicly releases full details of the flaw - providing there's no evidence that the bug is being actively exploited in the wild. Kasper Lindgaard, Secunia's director of research and security, says the firm will also grant a brief, one-time extension, upon request, to a vendor that appears to be trying in good faith to fix a flaw, but which needs more time.
Secunia's Kasper Lindgaard analyzes Google's 90-day vulnerability-notification window for vendors.
While it's reasonable to expect most fixes to arrive within three months, Lindgaard says, patching, testing and conducting quality assurance - to make sure fixes don't have unintended effects - on something as complex as the Windows kernel might reasonably take longer. He adds that Microsoft was forced to reissue a botched Windows 8.1 update in August 2014, followed by a bad Windows 7 patch in November. "So they might have been extra careful on this one, because they don't want to push anything out that hasn't been 100 percent through the QA process," he says.
Striking a Balance
Reacting to the debate over its disclosure policies, Google's Ben Hawkes, who's a member of the company's Project Zero bug-hunting team, says that the 90-day deadline isn't meant to be punitive, but rather meant to balance user security with giving vendors enough time to build, test and deploy patches.
"The majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors," Hawkes says. "With that said, we're going to be monitoring the [effects] of this policy very closely - we want our decisions here to be data-driven, and we're constantly seeking improvements that will benefit user security."
But IDC's Khaki notes that whatever Google's intentions, it's not a neutral party. "I am very uncomfortable with technology organizations publishing details of vulnerabilities in the software of their peer organizations," he says. "I believe this sets a very low bar and is open for a 'tit-for-tat' reaction. Google has stated the objective of Project Zero is to reduce the number of people harmed by targeted attacks. But by publishing the details of a vulnerability it has potentially done the exact opposite."