Project Zero team has disclosed a new unpatched Windows 8 flaw

Google Project Zero team disclosed a new unpatched vulnerability affecting Windows 8.1 systems unleashing the wrath of Microsoft for its disclosure policy.

Google’s Project Zero hacking team has disclosed the details of a new unpatched Windows 8.1 Privilege Escalation vulnerability in Microsoft Windows 8.1 OS.

It is the second flaw in Windows 8.1 OS publicly disclosed by the Elite Google Team in a few weeks, also in this case the experts have waited for 90 days before unveil the details of the vulnerability in compliance with its disclosure policy. It is curious to note that in November, Microsoft asked Google to extend the deadline because it was planning to fix the bug in February 2015, but Google refused in compliance with its policy. Microsoft decided to address the vulnerability in January, but Google refused again to extend the disclosure deadline even by two days.

The expert also confirmed that Windows 7 systems are affected by the flaw, the expert also provided a proof-of-concept (PoC) showing how to exploit the security flaw in a real attack on Windows 8.1.

“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced,” reads the report issued by Google.

“However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” the company added.

Microsoft has criticized the Google disclosure policy,  Chris Betz, senior director of Microsoft’s Security Response Center, in a blog post the expert explained that there was no reason to disclose the details of the flaw because Microsoft plans on releasing a security update on January 13.

“CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix.” wrote Betz.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” wrote Betz.

It is difficult to express an opinion on the case, despite it is correct to respect the disclosure policy to force company fixing the flaw, it must be also considered a possible tolerance for cases like this, especially when there are technical issues that must be carefully analyzed to avoid regression errors.

Pierluigi Paganini

(Security Affairs –  Windows 8.1, Google Project Zero)