Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43441
  • Total Topics: 16533
  • Online today: 3202
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 3200
Total: 3201









Author Topic: Google released details about Un-Patched security vulnerability in Windows 8.1  (Read 3372 times)

0 Members and 3 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Google has made public the details of a security vulnerability in Windows 8.1 a mere 90 days after disclosing it to Microsoft, sparking debate over the wisdom of the online giant's Project Zero security initiative.

The bug, which was privately reported to Microsoft in September, can potentially allow a logged-in user to execute code on Windows 8.1 machines with administrator privileges: https://code.google.com/p/google-security-research/issues/detail?id=118

The flaw lies in the handling of the NtApphelpCacheControl() system call, and it is a super obscure bug: a program must first obtain an access token from a system-level process: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374909%28v=vs.85%29.aspx , such as BITS: http://msdn.microsoft.com/en-us/library/bb968799%28v=vs.85%29.aspx , and then call the aforementioned function to insert an entry into the application compatibility cache – an operation only admin-level code should be able to do. When the access token is examined, the program's impersonation level is not checked: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379572(v=vs.85).aspx , allowing the user-level software to masquerade as a privileged program and modify the cache. A carefully crafted cache entry can lead to Windows running an arbitrary executable with elevated privileges.

"This bug is subject to a 90 day disclosure deadline," Google's security team noted when it told Microsoft of the programming blunder. "If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public."

That deadline has now passed, and the full details of the bug were revealed on December 30 – including working proof-of-concept code, which the Chocolate Factory made available in both source code and executable binary form.

But not everyone agrees with the aggressive disclosure policy of Google's Project Zero, which was founded in July 2014 with the goal of rooting out bugs in widely used software: http://googleonlinesecurity.blogspot.com.es/2014/07/announcing-project-zero.html

"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," wrote one commenter on the bug report.

Others pointed out, however, that just because a bug hasn't been publicly disclosed doesn't mean hackers aren't already exploiting it.

"No one is done any good by keeping it secret," wrote another commenter. "By exposing the vuln they allow those billions who may be running vulnerable systems to be aware of the threat to their own security and take countermeasures."

Google security researcher Ben Hawkes defended the policy of auto-disclosure, writing:

"Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.

With that said, we're going to be monitoring the effects of this policy very closely ... We're happy to say that initial results have shown that the majority of the bugs that we have reported ... get fixed under deadline, which is a testament to the hard work of the vendors."


In response to the disclosure, Microsoft issued a statement to the effect that it is aware of the problem and is preparing a fix.

"We are working to release a security update to address an Elevation of Privilege issue," a Microsoft spokesperson told El Reg via email. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

The software giant did not say whether it planned to have a fix for the issue ready by this month's Patch Tuesday, which lands on January 13.

(ElReg)

Samker's Computer Forum - SCforum.info


devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Will keep them sharp, those Redmond boys :)

And I must say... I kinda like the idea that I can download binaries to exploit systems. For those lonely office days XD

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Here is another one (third in a month)https://code.google.com/p/google-security-research/issues/detail?id=128

Quote
Windows: Impersonation Check Bypass With CryptProtectMemory and CRYPTPROTECTMEMORY_SAME_LOGON flag

"The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer. When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag) the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another it supports extracting the logon session id from the impersonation token. "

...

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023