Google has publicly released all important details on a Windows 8.1 security vulnerability. Some 90 days ago, they initially disclosed the issue to Microsoft. This led to a widespread debate over the Project Zero security initiative launched by the online giant. The initial report went to Microsoft in September and described the bug that allows a user who is logged in to execute code on any machine running Windows 8.1 even without administrator privileges.
The issue has to do with NtAppelpCacheControl(1). It is incredibly obscure and you really need to know what you are looking for in order to find it. Firstly, you need to have the program to get an access token, provided by a system-level process. An example is BITS. After that, the function has to be engaged so that an entry can be made in the actual application’s compatibility cache. Normally, only someone with admin codes should be able to achieve this. It now seems, however, that when the access token gets examined, the impersonation level of the program does not get checked. This means that someone at user level is able to use the software to pretend they are a privileged program. As a result, they are able to change the cache itself. If this is crafted properly by someone who knows what they are doing, Windows could use this cache to run an arbitrary executable file that then has elevated privileges. Google’s security team immediately notified Microsoft about the blunder in their programming.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
As promised, the details of the bug were revealed on December 30, when the deadline passed. The release included the exact workings of the proof-of-concept code. This has been made available by the Chocolate Factory both in executable binary form and source code.
However, it seems that Google has stirred up a brand new storm now. Some people seem to think that the disclosure policy employed by Project Zero is far too aggressive. This project was first started in July 2014 and its aim has always been to find and identify bugs in any software that is used regularly in the public sphere. It now seems that various people have spoken out against this aggressive approach.
Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I’d have expected a greater degree of care and maturity from a company like Google.
However at the same time, there are users who feel that Project Zero is absolutely necessary. They believe that those bugs that haven’t been disclosed yet may well have been identified by hackers already. After all, if Google can find them, others can as well. By releasing the bugs after a set deadline, Project Zero gives program owners the opportunity to make changes and it gives users the opportunity to not use the program until the bug is fixed. Indeed, those who support Project Zero feel that keeping issues a secret doesn’t help anybody. It is only when a vulnerability is exposed to all of those who use a program, that they are aware of the fact that their security is at risk, giving them a true opportunity to actually take actions against it. Ben Hawkes, security researcher at Google, has also defended the auto-disclosure policy.
Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.
At the same time, Hawkes stated that he understood the necessity of analyzing and monitoring the effects of the policy. So far, it has been shown that most of the reported bugs are fixed before the deadline actually passes. This demonstrates that software developers are committed to the security and safety of their users.
Microsoft, however, seemed less happy about the disclosure. They have stated that they did indeed receive the statement about the bug and have been working on fixing it. Unfortunately, they were unable to do so within the deadline period. An email has been received from El Reg, spokesperson for Microsoft, in which it was explained that they are trying to address an Elevation of Privilege problem. However, Microsoft wanted to stress that the bug could only be exploited by somebody that already has the necessary and valid login credentials. Additionally, they need to have local access to the machine in question. According to El Reg, so long as all users have an up-to-date anti-virus package and ensured they install all the Windows Security Updates, and made sure they have their firewall switched on, they should not have any problems with the bug. Interestingly, Patch Tuesday is on January 13, but it is not known whether the issue will be fixed by then. Microsoft seems to be keeping quiet about how much progress they are making on fixing this issue at all.
Although the bug was released under Project Zero on December 30, it still took quite a number of days for news agencies to become aware of it. However, it is now found across all tech and marketing websites. This is the flip side of Project Zero, in a way. Although there is certainly something to be said for releasing details on bugs that aren’t fixed within a certain deadline, it also means that it is almost impossible to not know that Microsoft has a bug. However, the vast majority of Microsoft users do not have any real understanding of coding and credentials and they may be unnecessarily put off by the operating system when they are actually not at any risk. On the other hand, it should be Microsoft’s responsibility to set people’s minds at ease and explain how the bug is getting fixed.