Google Project Zero Discloses a third Windows flaw that Microsoft failed to fix

Google Project Zero team disclosed a new unpatched flaw affecting Windows 8.1 systems, the cyber security community is divided between those for and against.

The Google Project Zero team has disclosed the details of two more unpatched Windows vulnerabilities due to its disclosure policy. Google has released the details of another Windows vulnerability that Microsoft failed to fix due to compatibility issues. Google has publicly disclosed a new critical unpatched vulnerability in Windows 7 and Windows 8.1 leaving Microsoft users exposed to cyber attack until next month, when the company plans to release a new security update.

This is the third Windows vulnerability disclosed by Google Project Zero before Microsoft could release a security update. Microsoft will patch only one of the vulnerabilities reported by the Google Project Zero, on Thursday the team of experts disclosed a new unpatched vulnerability affecting Windows 7 and Windows 8.1 systems unleashing the wrath of Microsoft for its disclosure policy.

The security flaw was reported to Microsoft on October 17, it affects both 32- and 64-bit architectures, it could be exploited by attackers to access sensitive information or to bypass security checks.The security vulnerability has been automatically disclosed exactly after 90-day.

“The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer. When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag) the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another it supports extracting the logon session id from the impersonation token,” reads the advisory published by Google Project Zero team.

“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.This behaviour of course might be design, however not having been party to the design it’s hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client.”

After the disclosure of the flaw in Windows 8.1 OS  Microsoft asked Google to extend the deadline because it was planning to fix the bug in February 2015, but Google refused in compliance with its 90-days disclosure policy. Microsoft decided to address the vulnerability in January, but Google refused again to extend the disclosure deadline even by two days.

Microsoft has criticized the Google disclosure policy,  Chris Betz, senior director of Microsoft’s Security Response Center, explained that there was no benefit in disclosing the details of the flaw because Microsoft plans on releasing a security update on January 13.

“CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix.” wrote Betz.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” wrote Betz.

Also in this last case, Google advisory includes a proof-of-concept exploit that could be used to verify the flaw.

“We are not aware of any cyberattacks using the two cases publicly disclosed,” a Microsoft spokesman reported to the Threatpost. “We’re working to address the first case, CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first.”

Pierluigi Paganini

(Security Affairs –  Windows 8.1, Google Project Zero)