Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability 129
An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
90 days to fix (Score:5, Insightful)
"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.
Re: 90 days to fix (Score:4, Insightful)
Re: (Score:3)
Actually, for FOSS projects a single user that fixes it and submits a patch is enough for all users to have a patch. This is much more powerful and the reason fix-times are often measured in hours for well-done FOSS projects.
Re: (Score:2, Funny)
If only there were a way to communicate such bugs discovered in an open source piece of software to lots and lots of people. That way, many sets of eyes would surely see and then fix the issue and, in turn, communicate the fix and maybe distribute a binary for patching.
Re: (Score:2)
Re: (Score:3)
Really? Any coder able to find issues like this should be able to fix issues like this if they have the proper source code. Most issues are trivial to fix, substituting an unsafe call with a safe(r) call (eg. strcpy vs strncpy) is often enough to fix most issues.
Sure there will be some side cases where it is really hard or there may be better solutions than your patch (eg. I recently found a bug in the MariaDB optimizer which leads to bad data being returned) but then at least if the product on top of it (C
Re: (Score:2)
Indeed. But since it is FOSS, a single "true überwizard" that then submits a patch is enough for all to have a patch. In the closed-source case, some mediocre, underpaid and unmotivated corporate slave has to take an interest and manage to fix it, and that takes far longer in most cases. 90 days is completely unacceptable though.
Re: (Score:1)
Re: (Score:2)
Depends on the set-up, but usually it works like this: Engineer escalates to PHB -> PHB makes clueless decision -> engineer implements clueless decision. Done right, the engineer is reasonably senior, makes his own decision and just consults with a more senior or equally senior engineer for plausibility. Management only sets policy in that case. Of course, it is possible that MS has a "fix only if there is outside-pressure" policy for their engineers.
Re: (Score:2)
"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.
It's no big deal. I'm posting this from my Windows 8.1 box, and nothing bad has happened. ... @LizardMafia RULEZ!1! d0wn with S0NY!!11!
Re: (Score:2)
From the looks of things, this vulnerability only allows the would-be exploiter to circumvent UAC.
They still need valid credentials for a user with Admin rights to do anything significant (the demo just attempts to launch Calculator).
Which, given your post would imply that you are logged into your Windows 8.1 PC as a user with Admin rights. And if you are perusing Slashdot while logged in as an Admin, you are doing something far worse than Google disclosing the vulnerability :P
-Rick
Re: (Score:3)
"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.
You've never been through regression testing have you?
Re: (Score:1)
You've never been through regression testing have you?
If stories of Microsoft's competence (heh heh) are to be believed (heh heh heh) then they already have a full test harness in place, and engineers tasked full-time with adding new cases to the system. Given what slips through, though, one doubts both their competence and also that they have a meaningfully representative set of PCs to test on. I'll grant you that would be difficult in the best case due to wide variation in the market, but the point stands.
Re: (Score:2)
I agree. Even a second-rated software shop should have no trouble meeting that deadline. It appears that MS is still third-rate. The only thing that will help is making them fully responsible for any and all damage caused by their inaction.
Re: (Score:1)
Really? says who? YOU? Anonymous coward says so?
I just thinking out loud here but if everyones PC gets infected by someone using the knowledge given by this asshole, everyone who gets exploited and has there credit card exploited or there debit cards exploited PC exploited should sue Google. Its not thee right to make Windows/any OS users open to scum criminal hackers. IMO this is nothing more then criminal blackmail. they cant beat MS with an
Re: (Score:1)
So you think Microsoft should be forced to provide security updates for all of their products in perpetuity?
Have you really thought about the economic ramifications of that?
Re: (Score:1)
Either that or stop using it.
Re: (Score:2, Insightful)
It is a user escalation vulnerability. These sort of vulnerabilities sometimes exist in Linux for months or years as well. They are generally considered less urgent to fix.
Re:90 days to fix (Score:5, Insightful)
I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.
No one is "forced" to continue using MS products -- unless they signed a support contract for extended support, MS can't be held responsible for supporting legacy systems indefinitely. If you don't want to be stuck with a system running an unsupported operating system, then you can sign (and pay for) a long-term support contract throughout the life of your product, you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself, or you can plan on upgrading your product hardware/software to stay with currently supported software.
I fail to see how Microsoft has any responsibility to support software for a hardware product that a manufacturer has decided not to keep current enough to run supported software. If the old HVAC system in your building relies on Windows 3.1 to keep it running, then maybe you ought to go after the vendor that sold it to you, if a replacement for the fan motor in your HVAC system is no longer available, you'd either retrofit to accept a current motor, or just upgrade the entire system, which is what you should do when the computer that controls it is no longer supported by current software.
Re: (Score:2)
you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself
Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.
Re: (Score:3)
you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself
Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.
Then you haven't applied enough money and/or pressure.
I worked for a large VAR years ago that had access to the Windows source... I don't think they had the whole source tree, they couldn't do a full build, but they could get access to any module they needed.
I worked for a another company that was the largest and most well known customer of an up and coming database company, they used our name heavily in marketing - we wanted source code escrow in case the DB company went under and we had to support it ours
Grammar police alert (Score:4, Insightful)
Undisclosed?
Re: (Score:2)
Re: (Score:3)
Google inadvertently reveals they have captured enough of the Internet to erase things from it.
Re: (Score:1)
Re: (Score:2)
So this is good. This vulnerability was previously disclosed, but they undisclosed it. The undisclosure was done by the NSA using their version of the neuralizer, the existence of which was disclosed by Snowden last year, but has since been undisclosed (which is why you don't know about it).
Re: Grammar police alert (Score:2)
Haven't they already proven it is impossible to "UNdisclose" anything on the internet. Once it is disclosed, it's out there forever.
"Can't stop the signal, Mal."
Re: (Score:2)
I think they meant non-undisclosed, which is a perfectly cromulent word. Irregardless, we should all be carefuller with grammar.
Re: (Score:2)
How Long? (Score:1)
Is a reasonable amount of time to let a company sit on a known vulnerability? I feel like 90 days is pretty reasonable. There's still that Apple root pipe thing that's floating around that they haven't fixed and hasn't been fully disclosed.
Re: (Score:2)
90 days is plenty if they are actually prepared to maintain their stuff. It seems MS is not.
Ha ha ha (Score:5, Insightful)
The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.
Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.
Re: (Score:1)
Re:Ha ha ha (Score:5, Informative)
People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.
Re:Ha ha ha (Score:5, Interesting)
Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority. They've taken reported security exploits seriously for a very long time now, and disclosing any vulnerability before a patch is deployed is absolutely irresponsible. It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.
Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people... much more so than security issues that may not have even been seen in the wild yet (I saw no indication in the linked article that this was the case) - but now probably will since the attack is known. If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.
Sorry if I sound like an MS shill, but Google is really starting to piss me off with their high-handed attitude on stuff like this lately.
Re: (Score:2)
I've been laughing, reading your tongue-in-cheek humor until your last sentence... then realized that maybe you actually meant what you wrote...
Re: (Score:2, Interesting)
Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority.
ROFLMAO. I could go on and on for hours about how pathetic Microsoft Security is but instead, I will not bore you and just talk about the one that is the largest pain in my rear right now: It is titled Windows Credential Theft.
Yes, the geniuses at Microsoft decided that leaving Domain Admin credentials laying about on any average workstation is not a huge problem. It is not like just anyone has access to the computer after all and it is not like having your entire domain compromised is a huge deal...
Serious
Re: (Score:2)
Ok, people are getting distracted by my statement that MS is "taking security seriously". Let's put aside how *effectively* they're "taking security seriously" for now, because that's entirely besides the point. What my point was is this: MS has well-established machinery and procedures in place for accepting bug reports and getting them fixed. This is indisputable; a lot of bugs has been responsibly reported to them in confidence and subsequently fixed. We see them every month on Patch Tuesday. Did th
Re: (Score:3)
Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people
So, get to the part where it's google's fault that Microsoft is too incompetent to take security seriously?
Re: (Score:2)
> It's arrogant as hell for Google to decide that 90 days is long enough, thank you.
Totally ridiculous. I've witnessed the "responsible disclosure" discussions a few years back, and even then, 4 weeks was considered generous. I'd say it's totally egotist of you to expect google to keep even quiet for more than 30 days.
I'd given them two weeks and gone out with it. And there's some researchers with a lot more clout than me, who would have given them exactly ZERO days: http://www.securityfocus.com/a... [securityfocus.com]
Re: (Score:2)
If software manufacturers actually cared to fix things fast, there would be no need. But as fixing bugs costs money and there is _zero_ penalty for not doing so, most do not bother unless forced to. 90 days is plenty. Things not fixed in 90 days will never be fixed, unless there is at the very least a risk of bad press.
Re:Let's be honest (Score:5, Informative)
For a long time I thought that... then I actually tried Windows 8.1.
It is not bad actually, and far better than 7 in every way that I can tell.
Re: Let's be honest (Score:1)
What was asked for was a single way.
That's two ways.
FAIL.
(Couldn't resist.)
Re:Let's be honest (Score:5, Interesting)
Boots faster. Is more stable. Uses less memory resources. Windows networking seems to work better. Seemless integration with the kids XBox.
I seem to have much more luck developing drivers on 8.1 as well - far less error check screens (more a function of me learning the DDK), also at the user level ETW seems rather more robust. Windbg also seems to be more stable when running on 8.1.
Also, I like the UI better (on the desktop) - I largely ignore the metro screen or whatever it is called.
Re: (Score:2)
Seemless integration with the kids XBox.
Yeah, guess what? The kid's Xbox would integrate with Windows 7 or even XP just fine. But it still wouldn't play MKVs without PS3MediaServer or similar.
Re: (Score:2)
Try it on 8. Mo betta.
A victim of applications and history (Score:3, Informative)
This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.
MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.
To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.
Re: (Score:2)
This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.
MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.
To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.
While impersonation and other techniques is used a lot more and including larger portions of the API, impersonation itself has been along since NT 3.1. Are you a file server process serving a request from a client? Just create an impersonation context for the user who sent the request and pass that along to the file system. You only need to make sure that you create the right context and tell other services on whose behalf you are doing this. This is not identical to setuid and similar, most importantly bec
Re:A victim of applications and history (Score:5, Informative)
You should type "man sudo" sometime.
Might not be serious by itself. (Score:2)
undisclosed (Score:2)
"Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability"
"undisclosed
adjective
1. not made known or revealed: an undisclosed sum"
From that description i assume google has a database of recent security vulnerabilities (from the last 90 days).
Vulnerabilities are immediately public information, then after 90 days they are removed from the list as they arent recent, and assumed to be patched ?
OR
Its the opposite and the person writing the description fo
Re:Poor choices to use proprietary cause this! (Score:4)
While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.
The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.
Re: (Score:1)
So?
The GP's point is still entirely valid.
Re: (Score:2)
Because FOSS still doesn't place some arbitrary BS restriction on fixing stuff.
Yes, it's true that a lot of users won't have the knowledge to do it, or won't be competent enough. Heck, even the people who can fix bugs won't have the time to fix every bug they encounter. But at least FOSS doesn't just outright ban you from doing it.
Re: (Score:2)
I think the "at least the end-user isn't restricted from fixing bugs when they occur" part is what the rejoinder was referring to.
Re: (Score:2)
Re: (Score:2)
Unused variables are warnings and not errors because their use is detected only heuristically and not conclusively. I'm not saying that's the case in the Linux kernel; only that it's a possibility.
Re: (Score:2)
>> the linux kernel source code is riddled with unused variables...
One would think that the linker would eliminate most of this. Not sure about the unspecified "unfixed and seemingly minor issues which collectively represent security vulnerabilities."
As far was the warnings go - most of those that I see are in the modules, not the kernel itself.
Re: (Score:2)
Why are you bringing up the average user when he was talking about the end user who has a strong reason to keep something patched? That's comparing a Mint home user to someone running the distribution upgrade servers.
If you are in charge of managing an important system or network, then you can either fix the problem yourself, have your programming team fix it and commit the fix back to the upstream vendor or you can potentially hire the work out. Even if you are an average end user, you could actually fix i
Re: (Score:1)
Re: (Score:2, Informative)
Let's see how that plays out in the Open Source world:
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this priva
Re: (Score:2)
Sorry you got lost. Tumblr is three doors down, on the right.
kthx, bye.
Re: (Score:2)
Maybe you just spend too much time pulling statements out of your ass?
Re:Poor choices to use proprietary cause this! (Score:5, Insightful)
While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.
It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Re: (Score:1)
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
You've really got to try to fix a few things before you can appreciate how uneven the situation can be. I've fixed some little things, they were easy. I've tried to fix some other apparently little things and failed, and found some other solution instead. Or not.
Re: (Score:2)
But the real point, I think, is that even if everyone/most users can't fix a bug in open source code (similar to the prior poster, I've also fixed small and medium ones, but waited for fixes on complex stuff), there are people who can, and will, and do. Even though, for the really obscure things, that group may be small, there is no absolute dependence on some group that has access to closed source code. This seems like rather an advantage for open source.
Re: (Score:2)
Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to.
Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.
Re: (Score:2)
Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.
No, the original claim was:
"at least the end-user isn't restricted from fixing bugs when they occur."
Paying/getting a different party to fix the bug is a valid application of "not being restricted from fixing the bug". In the case of proprietary software, if the original vendor doesn't fix it, you're stuck with the choice of being vulnerable or making significant changes (switching to a different proprietary software).
Re: (Score:2)
Re: (Score:2)
Gratz. You sir are a thinking and evolving being.
Re: (Score:2)
I'm surprised more people haven't responded that they already have contributed, given the way anything about a particular language turns into an argument.
I'm not a professional developer, but I have on occasion been the fresh pair of eyes that has spotted something that turned out to be an easy fix. On many more occasions I have found bugs that were out of my league.
Re: (Score:2)
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Trolls that keep posting crap like this should eat their own dogfood - try it yourself before extolling the horrors, and try it with both the closed source product and the competing open source one. I've done this. IME, you're full of shit.
It's also worth noting that the bug was reported over 90 days ago. "proper fix takes ages"... results will vary wildly depending on the product, the bug report, and the bug, but the majority would be addressable well within that time frame. In most cases, you won't have t
Re: (Score:2)
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Hm. Back when I decided to build my own Linux based computer from source code, I did a lot of tweaking to the sources for a lot of the software that I decided to run. It was not terribly hard and it made the entire user experience amazingly awesome.
Now I am just pissed off. What with the removal of the ability to ctl-alt-backspace out of X (yes, i can add it back in) and "systemD integration" (yes, I can currently avoid it entirely) and other such nonsense like Gnome going off the deep end (nothing I can do
Re: (Score:1)
Re: (Score:1)
So why does /. censor posts in gender politics threads? They do selectively run a script in some threads. In the case I'm talking about, it will ghost posts that use ess jay doubleyew (social justice warrior). They DO censor. This isn't hypothetical.