Google Outs Critical Windows Vulnerability Microsoft Wouldn't Fix

News
By Lucian Armasu
published

A member of Google's "Project Zero" has made public a critical bug in Windows that Microsoft didn't fix in the 90-day window after the private disclosure of the bug to Microsoft.

Project Zero is a team of security experts Google put together to focus on making the Internet safer by finding vulnerabilities in critical Internet infrastructure. Project Zero has found multiple critical vulnerabilities in other operating systems as well, including Android, Linux, iOS and Mac OS X.

The bug in question here seems to give a user (or malware) Administrator privileges simply by clicking on an .exe file. Even Administrator users are protected by the UAC (the window that keeps popping up when you install something) in order to prevent giving malware automatic higher privileges to the system. This bug, however, makes it possible to auto-elevate the privileges for the malware. According to the researcher who found it, so far the bug has only been tested in Windows 8.1, but it may also work in Windows 7.

Microsoft hasn't yet said why it hasn't patched this critical vulnerability since it was notified by the Google engineer about it all the way back on September 30. The next planned "Patch Tuesday," the day in which Microsoft usually updates Windows, will be on January 13, but Microsoft hasn't said whether this bug will be fixed then, sooner, or when it will happen exactly. It did, however, admit the bug's existence in a public statement:

"We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log on credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

Usually, there are two ways to disclose bugs: either right away, to force companies to fix it as soon as possible, or privately to allow companies time to address the bug.

There are major downsides with each option. In the first case, the bug may not be easy to fix, and if it's a serious one it could allow malicious attackers to exploit it to its fullest until it's patched. In the second, companies may not want to disclose the bug publicly at all, fearing that it could cause a major PR scandal for them. For instance, a bank may not want to say that its services had a bug that could allow its customers' funds to be stolen, because that could threaten its business by scaring away customers.

Some security researchers, such as Google's Project Zero team, have adopted a compromise: They don't disclose bugs publicly as soon as they're discovered, but they also don't wait indefinitely for companies to get around to fixing them. Project Zero has a 90-day disclosure policy, which seems like plenty of time to fix the vast majority of bugs, especially in a time when the number of computer hacks seems to be increasing.

For some reason, Microsoft hasn't gotten around to fixing this critical bug. It's unlikely the company was afraid of a PR scandal, considering how many of these bugs are discovered and disclosed for Windows all the time, including by the company itself.

Either Microsoft had other more important bugs to fix (although it's unlikely there are too many other bugs more important than privilege escalation), or it's a bug that's hard to fix without breaking something else in Windows. This should become more clear when Microsoft eventually releases a fix.

Microsoft also has a policy of disclosing the bugs it discovers for Windows to the NSA, CIA, FBI and other government agencies, in a type of "early alert" system that is supposedly meant to protect these agencies against those vulnerabilities as soon as possible. The practice also gives Microsoft and other companies access to classified information, and it possibly makes it easier for them to obtain other lucrative contracts with other government agencies.

However, as Snowden has revealed, and Microsoft itself knows, these vulnerabilities are usually used by the intelligence agencies to hack into foreign institutions that use Microsoft's software, putting Microsoft's foreign customers at a disadvantage compared to its U.S. government customers.

The most fair policy would seem to be for Microsoft to release a patch as soon as possible for all of its customers.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
10 Comments Comment from the forums
  • Darkk
    Microsoft's advice: "Install all available Security Updates and enable the firewall on their computer"

    Firewall isn't going to do squat since all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

    Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.
    Reply
  • maddad
    A firewall blocks incoming coming connections. So it is definitely good advice from Microsoft, plus the attacker has to get access to your computer so low probability of getting hit by this attack. Still 90 days should have been plenty of time for a fix!
    Reply
  • ahnilated
    A firewall blocks incoming coming connections. So it is definitely good advice from Microsoft, plus the attacker has to get access to your computer so low probability of getting hit by this attack. Still 90 days should have been plenty of time for a fix!

    Are you kidding me? People click on these things all the time still. I work on computers and have to deal with them installing things they don't know about. It is even worse if it comes from an email account they know, they will blindly click on it and run it.
    Reply
  • red77star
    Wait...but go upgrade to Windows 8, 8.x because it is more secured than Windows XP and Windows 7? ***Sarcasm.
    Reply
  • turkey3_scratch
    14958604 said:
    Microsoft's advice: "Install all available Security Updates and enable the firewall on their computer"

    Firewall isn't going to do squat since all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

    Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.

    Lol exactly what I thought, like firewall is going to do anything. Firewalls are sometimes overrated and misunderstood.
    Reply
  • PerilSensitive
    I don't see any Android issues on that issue list. Are they kept separately?'

    https://code.google.com/p/google-security-research/issues/list?can=1&q=&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
    Reply
  • FTLAUDMAN
    Perhaps the US government was using this exploit and it was on their "stall until public" list of fixes.
    Reply
  • Ed Chombeau
    Who said it is "critical"---crying wolf again. This has NO affect on the average home user. If is was really serious don't u think a better explanation by Google would be the right thing to do; instead of "screaming fire" in a crowded theater---JERKS AT GOOGLE
    Reply
  • GreenPhantom
    Microsoft can't prevent stupidity.
    Reply
  • alextheblue
    Are you kidding me? People click on these things all the time still. I work on computers and have to deal with them installing things they don't know about. It is even worse if it comes from an email account they know, they will blindly click on it and run it.
    Read the article. "they would first need to have valid log on credentials and be able to log on locally to a targeted machine." Sounds like you're already pretty well compromised at that point. Hardly a scary bug - if you've got local access there's plenty of things you could do.

    all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

    Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.
    First, read the article. As I said above, straight from the article, they can't just download an .exe and are automagically screwed.

    Second, there are PLENTY of two-way firewalls that secure outbound connections by default. What you're describing is the simplest, dumbest old-school "firewall" on the planet. Even the built-in Windows firewall has some limited outbound protection capability out of the box for non-trusted programs.

    Look at ZoneAlarm (just as an example - there are dozens of others) , they have been securing outbound access by programs since Win9x days. Back then you were prompted for each new/changed program requesting access. You could choose to allow/deny and it had options for remembering this choice until the program changes or until you change the settings yourself.

    Now they use more automation and have various settings ranging from mostly-automated outbound security (learning mode, trusted vs unknown) to the classic strict mode I remember from years ago. Either way, there's more outbound program control available in the "Firewall" market than you can shake a stick at. Though many firewalls are now integrated into total security suites comprising AV, firewall, and anti-malware capabilities. Welcome to the 21st century.
    Reply