Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security Windows

Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability 129

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
This discussion has been archived. No new comments can be posted.

Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

Comments Filter:
  • 90 days to fix (Score:5, Insightful)

    by Anonymous Coward on Wednesday December 31, 2014 @02:15PM (#48706655)

    "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
    Really? They had 90 days to fix this. That is plenty of time.

    • by plover ( 150551 )

      "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
      Really? They had 90 days to fix this. That is plenty of time.

      It's no big deal. I'm posting this from my Windows 8.1 box, and nothing bad has happened. ... @LizardMafia RULEZ!1! d0wn with S0NY!!11!

      • by RingDev ( 879105 )

        From the looks of things, this vulnerability only allows the would-be exploiter to circumvent UAC.

        They still need valid credentials for a user with Admin rights to do anything significant (the demo just attempts to launch Calculator).

        Which, given your post would imply that you are logged into your Windows 8.1 PC as a user with Admin rights. And if you are perusing Slashdot while logged in as an Admin, you are doing something far worse than Google disclosing the vulnerability :P

        -Rick

    • "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
      Really? They had 90 days to fix this. That is plenty of time.

      You've never been through regression testing have you?

      • You've never been through regression testing have you?

        If stories of Microsoft's competence (heh heh) are to be believed (heh heh heh) then they already have a full test harness in place, and engineers tasked full-time with adding new cases to the system. Given what slips through, though, one doubts both their competence and also that they have a meaningfully representative set of PCs to test on. I'll grant you that would be difficult in the best case due to wide variation in the market, but the point stands.

    • by gweihir ( 88907 )

      I agree. Even a second-rated software shop should have no trouble meeting that deadline. It appears that MS is still third-rate. The only thing that will help is making them fully responsible for any and all damage caused by their inaction.

    • Really? They had 90 days to fix this. That is plenty of time.

      Really? says who? YOU? Anonymous coward says so?

      I just thinking out loud here but if everyones PC gets infected by someone using the knowledge given by this asshole, everyone who gets exploited and has there credit card exploited or there debit cards exploited PC exploited should sue Google. Its not thee right to make Windows/any OS users open to scum criminal hackers. IMO this is nothing more then criminal blackmail. they cant beat MS with an
  • by Anonymous Coward on Wednesday December 31, 2014 @02:16PM (#48706661)

    Undisclosed?

    • I do not think that word means what you think it means.
    • by ceoyoyo ( 59147 )

      Google inadvertently reveals they have captured enough of the Internet to erase things from it.

    • It is like a double positive... Yeah, right.
    • by marciot ( 598356 )

      So this is good. This vulnerability was previously disclosed, but they undisclosed it. The undisclosure was done by the NSA using their version of the neuralizer, the existence of which was disclosed by Snowden last year, but has since been undisclosed (which is why you don't know about it).

    • Haven't they already proven it is impossible to "UNdisclose" anything on the internet. Once it is disclosed, it's out there forever.

      "Can't stop the signal, Mal."

    • by ndogg ( 158021 )

      I think they meant non-undisclosed, which is a perfectly cromulent word. Irregardless, we should all be carefuller with grammar.

    • by Maritz ( 1829006 )
      Yeah. Personally if I was writing a summary for a news site, I'd check what the fuck I was saying makes sense before posting it.
  • by Anonymous Coward

    Is a reasonable amount of time to let a company sit on a known vulnerability? I feel like 90 days is pretty reasonable. There's still that Apple root pipe thing that's floating around that they haven't fixed and hasn't been fully disclosed.

    • by gweihir ( 88907 )

      90 days is plenty if they are actually prepared to maintain their stuff. It seems MS is not.

  • Ha ha ha (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday December 31, 2014 @02:27PM (#48706757) Homepage Journal

    The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.

    Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.

    • Re:Ha ha ha (Score:5, Informative)

      by nobuddy ( 952985 ) on Wednesday December 31, 2014 @04:06PM (#48707543) Homepage Journal

      People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
      Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.

      • Re:Ha ha ha (Score:5, Interesting)

        by Dutch Gun ( 899105 ) on Wednesday December 31, 2014 @05:57PM (#48708279)

        Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority. They've taken reported security exploits seriously for a very long time now, and disclosing any vulnerability before a patch is deployed is absolutely irresponsible. It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.

        Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people... much more so than security issues that may not have even been seen in the wild yet (I saw no indication in the linked article that this was the case) - but now probably will since the attack is known. If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

        Sorry if I sound like an MS shill, but Google is really starting to piss me off with their high-handed attitude on stuff like this lately.

        • by robi5 ( 1261542 )

          I've been laughing, reading your tongue-in-cheek humor until your last sentence... then realized that maybe you actually meant what you wrote...

        • Re: (Score:2, Interesting)

          by strikethree ( 811449 )

          Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority.

          ROFLMAO. I could go on and on for hours about how pathetic Microsoft Security is but instead, I will not bore you and just talk about the one that is the largest pain in my rear right now: It is titled Windows Credential Theft.

          Yes, the geniuses at Microsoft decided that leaving Domain Admin credentials laying about on any average workstation is not a huge problem. It is not like just anyone has access to the computer after all and it is not like having your entire domain compromised is a huge deal...

          Serious

          • Ok, people are getting distracted by my statement that MS is "taking security seriously". Let's put aside how *effectively* they're "taking security seriously" for now, because that's entirely besides the point. What my point was is this: MS has well-established machinery and procedures in place for accepting bug reports and getting them fixed. This is indisputable; a lot of bugs has been responsibly reported to them in confidence and subsequently fixed. We see them every month on Patch Tuesday. Did th

        • Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people

          So, get to the part where it's google's fault that Microsoft is too incompetent to take security seriously?

        • by Kirth ( 183 )

          > It's arrogant as hell for Google to decide that 90 days is long enough, thank you.

          Totally ridiculous. I've witnessed the "responsible disclosure" discussions a few years back, and even then, 4 weeks was considered generous. I'd say it's totally egotist of you to expect google to keep even quiet for more than 30 days.

          I'd given them two weeks and gone out with it. And there's some researchers with a lot more clout than me, who would have given them exactly ZERO days: http://www.securityfocus.com/a... [securityfocus.com]

    • by gweihir ( 88907 )

      If software manufacturers actually cared to fix things fast, there would be no need. But as fixing bugs costs money and there is _zero_ penalty for not doing so, most do not bother unless forced to. 90 days is plenty. Things not fixed in 90 days will never be fixed, unless there is at the very least a risk of bad press.

  • by Junta ( 36770 ) on Wednesday December 31, 2014 @02:35PM (#48706827)

    This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

    MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

    To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

    • by cnettel ( 836611 )

      This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

      MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

      To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

      While impersonation and other techniques is used a lot more and including larger portions of the API, impersonation itself has been along since NT 3.1. Are you a file server process serving a request from a client? Just create an impersonation context for the user who sent the request and pass that along to the file system. You only need to make sure that you create the right context and tell other services on whose behalf you are doing this. This is not identical to setuid and similar, most importantly bec

    • by ceoyoyo ( 59147 ) on Wednesday December 31, 2014 @03:05PM (#48707065)

      You should type "man sudo" sometime.

  • It does not appear to be a serious hole by itself. Microsoft claims you need a valid log-on to exploit this, In reality all you need to do is to get your code run in a machine with the privilege of ordinary user. There are ways and other vulnerabilities to do it. There are numerous holes where the browser executes supplied malware from the net, without admin privileges. These two holes, when combined forms a serious threat.
  • "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability"

    "undisclosed
    adjective
    1. not made known or revealed: an undisclosed sum"

    From that description i assume google has a database of recent security vulnerabilities (from the last 90 days).
    Vulnerabilities are immediately public information, then after 90 days they are removed from the list as they arent recent, and assumed to be patched ?

    OR

    Its the opposite and the person writing the description fo

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...