Google Project Zero Reveals Windows Vulnerability Before Microsoft Fix
A Windows vulnerability has been found by Google Security researcher James Forshaw, a member of Google Project Zero. Microsoft Windows 8.1 is confirmed to have a 0-day vulnerability that allows for exploitation of a “privilege escalation vulnerability in Windows 8.1.” This Windows vulnerability would allow a hacker to modify the contents of a target computer and, with the right programs, completely take over the victim’s computer.
To prove the Windows vulnerability, Forshaw has released a Proof-of-Concept program that will allow any Windows 8.1 user to open the Windows calculator in “admin mode,” belying the potential issues presented by this 0-day Windows vulnerability. This particular Windows vulnerability still requires local access to the target machine as well as valid logon credentials to non-admin accounts. While this is not a world-wide disaster, the potential for issues to arise in the next few days until Microsoft has fully patched the issue is very real. The issue has been confirmed for Windows 8.1 64 and 32 bit versions, and may even be viable on older versions of Windows such as Windows 7.
James Forshaw is a software vulnerability researcher at Context Information Security, which is based in the United Kingdom. He has previously won a $100,000 bounty from Microsoft in 2013 for discovering a mitigation bypass in Internet Explorer 11. Forshaw has recently joined the Google Project Zero team, which is dedicated to finding and fixing exploits such as this Windows vulnerability.
Google Project Zero
The Google Project Zero team is dedicated to “work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.” Robert Graham from Errata Security has previously commented to Forbes that Google has long since been looking for 0-day exploits in their own and other companies’ software. He clarified:
I don’t think anything’s changed other than now they have a really cool name to put on the project. The most important aspect of this is how it helps Google… having a close-knit team of researchers learning from each allows each member to produce vastly more than if they were working alone. Looking at other products produces intelligence that can be used to improve Google’s own products.
Some fear that Google’s Project Zero ends up creating a more visible market for 0-day exploits, such as one used by Russian hacker group w0rm to access CNET databases. In this instance, Google Project Zero has shown their commitment to their goal, largely at the expense of Microsoft. One comment on the Google Security Research email thread in response to the Windows vulnerability reveal sums it up:
Disclosing this may have been the right thing to do. Doing so based on an automated deadline with zero context from Google strikes me as much less so. It seems to me that the relationship between Google & MSFT’s respective security teams is fairly poor. Seeing things like this certainly goes a way to explaining why.
Microsoft Had 90 Days to Patch Windows Vulnerability
According to Google Project Zero, the issue was first reported directly to Microsoft on September 30th, 2014. The information is now being released to the public after their stated 90-day disclosure deadline:
Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the “Reported” label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.
Microsoft has responded:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
Images from Shutterstock.