News Stay informed about the latest enterprise technology news and product updates.

Google's Project Zero reveals another Windows zero-day vulnerability

For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.

Google Inc. has revealed another Windows zero-day vulnerability that Microsoft Inc. has not yet been able to patch,...

marking the third time in the last month that Google's Project Zero has released details about an unpatched Windows flaw.

The latest zero-day vulnerability has been confirmed in Windows 7 and 8.1 and affects the function CryptProtectMemory, which could allow memory-sharing and logon session ID extraction between processes.

According to the description of the flaw by Project Zero, "the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session."

Project Zero first reported the flaw to Microsoft Oct. 17th, at which point the clock began ticking on Google's 90 day disclosure deadline, which states that the bug report will automatically be posted if there is no "broadly available patch" within the time frame.

According to follow-up posts on Google's Project Zero issue-tracking site, Microsoft had a fix planned as part of the January 2015 Patch Tuesday, but had to delay it because of compatibility issues. A patch is now planned to be included with the February 2015 Patch Tuesday bulletins, but Google's revelation may put Windows customers at risk between now and then.

Both sides need to take responsibility

Google has come under fire for its automatic disclosure policy, which Microsoft says needlessly puts users at risk while a fix is in the works. Although, Chris Wysopal, CTO and CISO of Burlington, Mass.-based security vendor Veracode Inc., does put a caveat on how big of a threat this flaw would pose.

"It's not clear which attack vector would leverage this vulnerability. For starters, it's a local vulnerability, which makes it less serious than a remotely exploitable vulnerability. It likely can be used for privilege elevation -- which means that attackers could easily exploit this vulnerability to install cyber-espionage or botnet malware on the enterprise systems," said Wysopal.

Wysopal does agree that Google may want to reconsider its blanket policy to release zero-day vulnerability reports, saying that there will be exceptions to every rule, and reports should be held back when there is a good explanation why a patch can't be released by the deadline.

"Google looks bad because of their arbitrary 90-day disclosure, seemingly not taking into account whether or not the vulnerability CAN safely be patched in 90 days," said Matt Larsen, solutions architect for Waltham, Mass.-based security vendor Bit9 Inc. in a blog post. "Microsoft then looks bad if they can't patch it in time, or worse, if the patch has technical issues."

According to Larsen, both sides need to accept more responsibility, and focus on the greater good, or else both sides look bad, and users get hurt in the process.

Next Steps

Google was criticized for revealing another Windows zero day vulnerability earlier in January.

Learn about how and why Google started its security threat research group, Project Zero.

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you agree with Google releasing this Windows vulnerability information? Why or why not?
Cancel
I do not agree with Google about releasing this particular Windows vulnerability. As I mentioned in another post on this, I understand a disclosure deadline to help motivate a company to fix their bugs so that they aren’t dropped onto the backlog where they live on indefinitely, but an automatic 90-day disclosure policy that ignores context has the potential to do more harm than good. Bug advocacy is not about getting every bug fixed – it’s about getting the right bugs fixed.
Cancel
Oddly enough, I have to agree with Google and their revealing of the issue.  While I agree forces Windows to fix the issue, it also forces them to take a look at their code to make sure that they don't have other issues.  Far too many companies make bug repairs the lowest priority, and will ignore the little person
Cancel
I would have to side with Google. If there is a flaw out there and the owner is not making it public, I would still want to know. One, for my own protection and secondly, I'd question as to why the owner did not release the information so users may take the appropriate steps.
Are they trying to hide something to protect their reputation or do they just not care?  
Cancel
As long as the company is aware of the issues, I am sure they will work toward it. As long as they are not freaking out about the issues and putting out fires, they should have a clear head to move forward and make decisions that would be beneficial to all organizations in terms of their safety. 
Cancel
I understand a disclosure deadline to help motivate a company to fix their bugs so that they aren’t dropped onto the backlog where they live on indefinitely, but an automatic 90-day disclosure policy that ignores context has the potential to do more harm than good. Bug advocacy is not about getting every bug fixed – it’s about getting the right bugs fixed.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close