Google has made public the details of a security vulnerability in Windows 8.1 a mere 90 days after disclosing it to Microsoft, sparking debate over the wisdom of the online giant's Project Zero security initiative.
The bug, which was privately reported to Microsoft in September, can potentially allow a logged-in user to execute code on Windows 8.1 machines with administrator privileges.
The flaw lies in the handling of the
NtApphelpCacheControl() system call, and it is a super obscure bug: a program must first obtain an access token from a system-level process, such as BITS, and then call the aforementioned function to insert an entry into the application compatibility cache – an operation only admin-level code should be able to do. When the access token is examined, the program's impersonation level is not checked, allowing the user-level software to masquerade as a privileged program and modify the cache. A carefully crafted cache entry can lead to Windows running an arbitrary executable with elevated privileges.
"This bug is subject to a 90 day disclosure deadline," Google's security team noted when it told Microsoft of the programming blunder. "If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public."
That deadline has now passed, and the full details of the bug were revealed on December 30 – including working proof-of-concept code, which the Chocolate Factory made available in both source code and executable binary form.
But not everyone agrees with the aggressive disclosure policy of Google's Project Zero, which was founded in July 2014 with the goal of rooting out bugs in widely used software.
"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," wrote one commenter on the bug report.
Others pointed out, however, that just because a bug hasn't been publicly disclosed doesn't mean hackers aren't already exploiting it.
"No one is done any good by keeping it secret," wrote another commenter. "By exposing the vuln they allow those billions who may be running vulnerable systems to be aware of the threat to their own security and take countermeasures."
Google security researcher Ben Hawkes defended the policy of auto-disclosure, writing:
Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.
With that said, we're going to be monitoring the effects of this policy very closely ... We're happy to say that initial results have shown that the majority of the bugs that we have reported ... get fixed under deadline, which is a testament to the hard work of the vendors.
In response to the disclosure, Microsoft issued a statement to the effect that it is aware of the problem and is preparing a fix.
"We are working to release a security update to address an Elevation of Privilege issue," a Microsoft spokesperson told El Reg via email. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
The software giant did not say whether it planned to have a fix for the issue ready by this month's Patch Tuesday, which lands on January 13. ®