Naked Security Naked Security

Zero-day in Windows 8.1 disclosed by Google

A new zero day vulnerability has been disclosed in Microsoft Windows 8.1. Who is behind releasing the attack code behind this flaw? Google.
Written by
January 03, 2015
Naked Security full disclosure Google Microsoft Project Zero UAC Windows 8.1

Project Zero Full DisclosureSome situations in life call for a zero-tolerance policy. Drunk driving, sexual harassment and murder come to mind. But do security vulnerabilities pass the test?

Google seems to think so. Google’s Project Zero team publicly disclosed a zero-day vulnerability in Microsoft Windows 8.1 on December 29th after giving the software giant 90 days to patch the flaw.

Before I go any further, if you are a Windows 8.1 user, don’t panic (Thanks Doug)!

The flaw is a elevation of privilege flaw (EoP) in NtApphelpCacheControl, a function used for caching application compatibility information.

For example, it can be used to bypass User Account Control (UAC), allowing a malicious application to promote itself to administrator even if it started off with the privilege of a regular user.

Fortunately this means you have to already have been compromised for this vulnerability to be of use. There are also mitigations that can be employed to reduce the risk from this flaw.

People testing the vulnerability are saying that using UAC at its maximum setting prevents the attack, at least as demonstrated by Google, from working without a warning being presented.

The controversy isn’t so much about the severity of this vulnerability, but rather Google’s policy regarding disclosure of exploits.

The Project Zero team gives software developers 90 days to fix vulnerabilities before automatic full disclosure occurs. In this case Microsoft was notified on September 30th, leading to the disclosure on December 29th, 2014.

Is 90 days enough? Hard to say. Google says it picked 90 days as a sort of happy medium.

Short enough time to put pressure on vendors to fix flaws, but long enough that most issues should be able to be resolved within that timeframe.

In this case, 90 days clearly wasn’t enough for Microsoft to feel confident in shipping a well-tested update. Redmond has had a bit of a rough time with QA of security updates as of late.

DontBeEvil courtesy of Tangi Bertin's Flickr pageWithout getting into the full disclosure debate, there is one thing about this particular disclosure that doesn’t lend credibility to Google’s arguments that Project Zero is doing a public service and abiding by its famous “Don’t be evil” policy.

The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability.

In my book, that’s not compatible with behaviour that is allegedly in the public interest.

Hopefully, Microsoft will give us a New Year’s gift of a fix next Patch Tuesday, which will be on January 13th, 2015.


Creative Commons “Don’t be evil” image courtesy of Tangi Bertin’s Flickr photostream.

About the Author

Chester Wisniewski is Director, Global Field CTO at next-generation security leader Sophos. With more than 25 years of security experience, his interest in security and privacy first peaked while learning to hack from bulletin board text files in the 1980s, and has since been a lifelong pursuit. 

Chester works with Sophos X-Ops researchers around the world to understand the latest trends, research and criminal behaviors. This perspective helps advance the industry's understanding of evolving threats, attacker behaviors and effective security defenses. Having worked in product management and sales engineering roles earlier in his career, this knowledge enables him to help organizations design enterprise-scale defense strategies and consult on security planning with some of the largest global brands.

Based in Vancouver, Chester regularly speaks at industry events, including RSA Conference, Virus Bulletin, Security BSides (Vancouver, London, Wales, Perth, Austin, Detroit, Los Angeles, Boston, and Calgary) and others. He’s widely recognized as one of the industry’s top security researchers and is regularly consulted by press, appearing on BBC News, ABC, NBC, Bloomberg, Washington Post, CBC, NPR, and more.

When not busy fighting cybercrime, Chester spends his free time cooking, cycling, and mentoring new entrants to the security field through his volunteer work with InfoSec BC. Chester is available on Mastodon (securitycafe.ca/@chetwisniewski).

For press inquiries, email chesterw [AT] sophos [.] com.

Read Similar Articles