Google posts Windows 8.1 vulnerability before Microsoft can patch it

Reporter

Updated Fri, Jan 2, 2015, 10:04 AM·4 min read

Google's Project Zero tracks vulnerabilities in software systems and reports them to vendors "in as close to real-time as possible" -- a noble cause, no? But what happens if said vendor then fails to push a fix within the 90-day window? Microsoft just found out: Google will go ahead and publish the bug anyway, complete with code that can be used to exploit it. A researcher found a Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they'd normally have no right to. Though it remains unpatched by Microsoft, the Zero team published it several days ago -- right on schedule.

Microsoft was quick to point out that attackers would "need to have valid logon credentials and be able to log on locally to a targeted machine." While that should limit the damage, it doesn't mean the flaw is harmless -- a disgruntled mid-level employee with some programming skills could wreak serious harm, for instance. Mountain View told us "just to make this absolutely clear, the (bug) was reported to Microsoft on September 30 (along with) the 90-day disclosure deadline statement... which in this instance has passed."

Still, some observers have raised questions about whether Project Zero does more harm than good if Google isn't flexible with its publishing deadline. Others argued that Microsoft had plenty of time to fix the bug, and Google was firm about its policy. "Project Zero's disclosure deadline... allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face." But it also added that "we're going to be monitoring the affects (sic) of this policy very closely."

Meanwhile, Microsoft said that it's currently "working to release a security update to address an Elevation of Privilege issue." For full statements from both companies, see below.

Microsoft:

We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

Google:

There was some confusion yesterday about whether we had contacted Msft about this issue, so we posted an update (below).
Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the "Reported" label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.
Project Zero's disclosure deadline policy has been in place since the formation of our team earlier in 2014. It's the result of many years of careful consideration and industry-wide discussions about vulnerability remediation. Security researchers have been using roughly the same disclosure principles for the past 13 years (since the introduction of "Responsible Disclosure" in 2001), and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.
On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.
With that said, we're going to be monitoring the affects of this policy very closely - we want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security. We're happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors.

Engadget
The best webcams for 2024
Here's a list of the best webcams you can buy for your laptop or desktop, plus advice on how to choose the right one for you.
5 months ago
Engadget
Microsoft and OpenAI sued yet again by Chicago Tribune and New York Daily News
A group of publications that include the Chicago Tribune, New York Daily News and the Orlando Sentinel are accusing OpenAI and Microsoft of stealing their copyrighted content to train generative AI products.
56m ago
Engadget
The best gaming accessories on a budget for 2024
Here's a list of the best budget gaming accessories you can buy, as chosen by Engadget editors.
8 months ago
Engadget
The Cheyenne Supercomputer is going for a fraction of its list price at auction right now
The US government is selling the Cheyenne Supercomputer at auction for a fraction of the list price right now.
10h ago
Engadget
Binance founder Changpeng Zhao sentenced to four months in prison
A federal judge has sentenced Binance founder Changpeng Zhao to four months in prison. Prosecutors had recommended three years. Zhao pleaded guilty in November to violating the Bank Secrecy Act.
13h ago
Engadget
Assassin’s Creed Mirage finally arrives on June 6 for iPhone and iPad
The newest Assassin’s Creed game will soon arrive on iPhone and iPad. Assassin’s Creed Mirage, the 2023 installment that takes you to ninth-century Baghdad, will be available on June 6 for the iPhone 15 Pro series and iPads with an M-series chip.
15h ago
Engadget
US will require all new cars to have advanced automatic braking systems by 2029
The National Highway Traffic Safety Administration just announced new safety standards for US cars. All new cars must have automatic braking systems installed by 2029.
15h ago
Engadget
The European Union is investigating Meta’s election policies
The EU has officially opened a significant investigation into Meta for election disinformation. While the European Commission’s statement doesn’t explicitly mention Russia, Meta told Engadget the EU probe targets the country’s Doppelganger campaign.
16h ago
Engadget
The excellent and customizable Arc Browser is now fully available on Windows
The popular Arc Browser, which was previously a Mac exclusive, is now fully available for Windows users. It was in beta the past several months.
17h ago
Engadget
Apple is launching new iPads May 7: Here's what to expect from the 'Let Loose' event
Apple has scheduled an event for May 7 that'll more than likely focus on new iPads. Here's what we expect the company to show off.
6d ago
Engadget
Microsoft confirms its next Xbox Game Showcase is on June 9 at 1PM ET
Microsoft has officially announced the next Xbox Games Showcase. In a blog post, the company said the summer version will be on Sunday, June 9, at 10AM PT / 1PM ET.
18h ago
Engadget
The second-gen Apple Pencil falls back to $79 ahead of next week's iPad event
Apple is likely to introduce a new Pencil next week, but the second-gen model is back on sale for an all-time low of $79.
18h ago
Engadget
Tesla is reportedly getting 'absolutely hard core' about more layoffs, according to Elon Musk
Tesla has begun laying off more people, starting with two senior executives, with plans for hundreds more. CEO Elon Musk says the company has to get “absolutely hard core about headcount.”
19h ago
Engadget
The Instax mini 99 could pass for a real Fujifilm camera
With a matte black finish, the Insta mini 99 looks more professional than most of its predecessors. While there are no hybrid digital camera features, it delivers far more versatility than pretty much any other instant camera.
19h ago
Engadget
Beats announces Solo Buds, $80 wireless earbuds with 18-hour battery life
Beats' latest earbuds have the longest battery life of any it has ever made. Plus, they're budget friendly at $80.
20h ago
Engadget
Beats Solo 4 review: Upgraded audio, extended battery life and familiar design
Beats made significant updates to audio quality and battery life on the Solo 4, but the design is in need of a refresh.
20h ago
Engadget
Lorelei and the Laser Eyes preview: This may be my GOTY
Simogo knows how to make a damn fine puzzle game.
20h ago
Engadget
Instagram's algorithm overhaul will reward ‘original content’ and penalize aggregators
Instagram is overhauling its recommendation algorithm for Reels to boost “original content” in a move that will have significant implications for aggregator accounts and others that primarily repost other users’ work.
21h ago
Engadget
FCC fines America's largest wireless carriers $200 million for selling customer location data
The Federal Communications Commission has slapped the largest mobile carriers in the US with a collective fine worth $200 million for selling access to their customers' location information without consent.
22h ago
Engadget
The best work-from-home and office essentials for graduates
Hybrid work isn't going away any time soon. These are the best gadgets to gift recent graduates who split their time working from home and working in an office.
10 months ago

Google posts Windows 8.1 vulnerability before Microsoft can patch it

Latest Stories

The best webcams for 2024

Microsoft and OpenAI sued yet again by Chicago Tribune and New York Daily News

The best gaming accessories on a budget for 2024

The Cheyenne Supercomputer is going for a fraction of its list price at auction right now

Binance founder Changpeng Zhao sentenced to four months in prison

Assassin’s Creed Mirage finally arrives on June 6 for iPhone and iPad

US will require all new cars to have advanced automatic braking systems by 2029

The European Union is investigating Meta’s election policies

The excellent and customizable Arc Browser is now fully available on Windows

Apple is launching new iPads May 7: Here's what to expect from the 'Let Loose' event

Microsoft confirms its next Xbox Game Showcase is on June 9 at 1PM ET

The second-gen Apple Pencil falls back to $79 ahead of next week's iPad event

Tesla is reportedly getting 'absolutely hard core' about more layoffs, according to Elon Musk

The Instax mini 99 could pass for a real Fujifilm camera

Beats announces Solo Buds, $80 wireless earbuds with 18-hour battery life

Beats Solo 4 review: Upgraded audio, extended battery life and familiar design

Lorelei and the Laser Eyes preview: This may be my GOTY

Instagram's algorithm overhaul will reward ‘original content’ and penalize aggregators

FCC fines America's largest wireless carriers $200 million for selling customer location data

The best work-from-home and office essentials for graduates

About

Sections

Contribute

Buying Guides