Google Discloses Windows Zero-day Before Microsoft Can Issue Patch
Google Discloses Microsoft Zero 24-hour interval Flaw
Windows viii.ane Vulnerability Unfixed After xc Days, Google Says
(This story has been updated)
See Also: Live Webinar | How to Stop the 4 Horsemen of the Data Loss Apocalypse
Microsoft says it's prepping a patch for a vulnerability that exists in Windows viii.1 - and possibly other versions of Windows - that was recently disclosed past Google. The bug report has triggered both praise and condemnation for the xc-24-hour interval deadline Google gives vendors to patch flaws earlier it publicly releases total details of a bug.
Microsoft says the flaw spotted past Google's researchers could facilitate a privilege-escalation attack, thus giving an assailant ambassador-level access to a organisation, which could allow them to bypass some security controls and execute malicious code. "Nosotros are working to release a security update to address an pinnacle of privilege upshot," Microsoft says in a statement.
The vulnerability, Google says, relates to how a system telephone call "allows awarding compatibility data to be cached for quick reuse when new processes are created," and that "a normal user tin can query the cache but cannot add together new cached entries as the functioning is restricted to administrators." By targeting a vulnerability in that process, yet, Google says that an aggressor could use a local system procedure to obtain an administrator-level identity token.
Google's problems report to Microsoft - dated Sept. thirty, 2022 - includes a proof-of-concept attack that shows how the vulnerability tin can exist exploited. As of Jan. v, 2015, 12 out of 55 anti-virus engines tested past the malware-scanning service VirusTotal were flagging the proof-of-concept code as malicious.
But Microsoft points out: "It is important to note that for a would-be assailant to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted car. We encourage customers to keep their anti-virus software upward to engagement, install all available security updates and enable the firewall on their calculator."
Google's bug report says the flaw exists at least in Windows 8.1, and in both the 32-bit and 64-scrap versions. Equally of December 2014, Windows 8.1 was running on 9.5 percent of all desktops and laptops, co-ordinate to market place enquiry firm NetMarketShare.
But Google says more versions of Windows may exist at risk from the flaw, noting that "no effort has been made to verify it on Windows seven." Microsoft as well has yet to particular exactly which versions of its Windows operating systems sport the flaw.
Debating Google'south Policies
Google's Sept. 30 bug report to Microsoft included this warning: "If 90 days elapse without a broadly available patch, then the bug written report will automatically become visible to the public." On Dec. 29, the bug report was updated to read: "Deadline exceeded - automatically derestricting."
London-based Fayaz Khaki, associate director of information security for market enquiry firm IDC, notes that the bug detailed by Google "is not a high-priority vulnerability" to gear up, because an attacker would need to possess valid log-in credentials before they could exploit the flaw. Merely he questions Google'southward deadline. "I think Google's 90-twenty-four hours window to get bugs fixed is aggressive, particularly every bit Google cannot know the outcome of the potential gear up, i.e. what chain reaction does the fix have on the software or user experience? Will the fix accept an touch on to some other part of the software forcing Microsoft to re-engineer more than i part of the software? Will the fix accept an bear upon on the user experience?" he says.
But reaction to Google detailing a previously unknown vulnerability in the well-nigh recent version of Windows - prior to Microsoft patching the flaw - has been mixed, at to the lowest degree to approximate by the comments posted to Google's problems report.
"This is an incredibly bad policy on automobile-disclosure, particularly with a borderline over the holiday season," says one commenter. "Equally the onetime CEO of a vulnerability assessment firm, this behavior would have you listed equally a 'grey lid' immediately for putting the public at impairment."
Some, notwithstanding, have praised Google's policies. "Microsoft had iii months to resolve this and were aware of Google'southward disclosure timeline," says another commenter. "If they chose not to address it, that is their decision. I accept waited years (sometimes iv+) for Microsoft to address security issues I reported. A 90-day timeline makes a lot more sense in terms of improving overall security."
Setting deadlines for vendors to acknowledge a bug report and agree to a "coordinated disclosure" appointment is not uncommon. Vulnerability and patch management vendor Secunia, for case, offers a default vi-month window between when it first notifies a vendor of a flaw and when it publicly releases total details of the flaw - providing there's no evidence that the bug is being actively exploited in the wild. Kasper Lindgaard, Secunia'southward director of research and security, says the firm will also grant a brief, one-time extension, upon request, to a vendor that appears to be trying in skilful faith to fix a flaw, simply which needs more than fourth dimension.
Secunia's Kasper Lindgaard analyzes Google'due south ninety-24-hour interval vulnerability-notification window for vendors.
While information technology's reasonable to look about fixes to get in within three months, Lindgaard says, patching, testing and conducting quality assurance - to make sure fixes don't have unintended effects - on something every bit complex as the Windows kernel might reasonably take longer. He adds that Microsoft was forced to reissue a botched Windows viii.1 update in August 2014, followed by a bad Windows 7 patch in November. "So they might have been extra conscientious on this one, considering they don't want to push anything out that hasn't been 100 percent through the QA procedure," he says.
Striking a Residual
Reacting to the fence over its disclosure policies, Google'southward Ben Hawkes, who's a member of the visitor'southward Project Zero issues-hunting team, says that the 90-day deadline isn't meant to be punitive, simply rather meant to balance user security with giving vendors enough fourth dimension to build, test and deploy patches.
"The majority of the bugs that nosotros have reported nether the disclosure deadline get fixed under borderline, which is a attestation to the hard piece of work of the vendors," Hawkes says. "With that said, we're going to be monitoring the [effects] of this policy very closely - nosotros want our decisions here to be data-driven, and nosotros're constantly seeking improvements that will benefit user security."
Just IDC'due south Khaki notes that whatever Google'southward intentions, it's non a neutral party. "I am very uncomfortable with engineering organizations publishing details of vulnerabilities in the software of their peer organizations," he says. "I believe this sets a very low bar and is open up for a 'tit-for-tat' reaction. Google has stated the objective of Project Nil is to reduce the number of people harmed by targeted attacks. But by publishing the details of a vulnerability it has potentially done the verbal contrary."
Source: https://www.bankinfosecurity.com/google-discloses-microsoft-zero-day-a-7747
0 Response to "Google Discloses Windows Zero-day Before Microsoft Can Issue Patch"
Post a Comment