Google Inc. has revealed another Windows zero-day vulnerability that Microsoft Inc. has not yet been able to patch,...
marking the third time in the last month that Google's Project Zero has released details about an unpatched Windows flaw.
The latest zero-day vulnerability has been confirmed in Windows 7 and 8.1 and affects the function CryptProtectMemory, which could allow memory-sharing and logon session ID extraction between processes.
According to the description of the flaw by Project Zero, "the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session."
Project Zero first reported the flaw to Microsoft Oct. 17th, at which point the clock began ticking on Google's 90 day disclosure deadline, which states that the bug report will automatically be posted if there is no "broadly available patch" within the time frame.
According to follow-up posts on Google's Project Zero issue-tracking site, Microsoft had a fix planned as part of the January 2015 Patch Tuesday, but had to delay it because of compatibility issues. A patch is now planned to be included with the February 2015 Patch Tuesday bulletins, but Google's revelation may put Windows customers at risk between now and then.
Both sides need to take responsibility
Google has come under fire for its automatic disclosure policy, which Microsoft says needlessly puts users at risk while a fix is in the works. Although, Chris Wysopal, CTO and CISO of Burlington, Mass.-based security vendor Veracode Inc., does put a caveat on how big of a threat this flaw would pose.
"It's not clear which attack vector would leverage this vulnerability. For starters, it's a local vulnerability, which makes it less serious than a remotely exploitable vulnerability. It likely can be used for privilege elevation -- which means that attackers could easily exploit this vulnerability to install cyber-espionage or botnet malware on the enterprise systems," said Wysopal.
Wysopal does agree that Google may want to reconsider its blanket policy to release zero-day vulnerability reports, saying that there will be exceptions to every rule, and reports should be held back when there is a good explanation why a patch can't be released by the deadline.
"Google looks bad because of their arbitrary 90-day disclosure, seemingly not taking into account whether or not the vulnerability CAN safely be patched in 90 days," said Matt Larsen, solutions architect for Waltham, Mass.-based security vendor Bit9 Inc. in a blog post. "Microsoft then looks bad if they can't patch it in time, or worse, if the patch has technical issues."
According to Larsen, both sides need to accept more responsibility, and focus on the greater good, or else both sides look bad, and users get hurt in the process.
Google was criticized for revealing another Windows zero day vulnerability earlier in January.
Learn about how and why Google started its security threat research group, Project Zero.