Google Makes Windows 8.1 Vulnerability Details Public After Microsoft Fails To Patch It In Time
Google researchers have went ahead and posted details about a Windows 8.1 vulnerability after the 90 days deadline it gave to Microsoft ended just days before new year eve. Google’s secret security research team, Project Zero had discovered this vulnerability way back in September 2014. According to team’s guidelines, once they find a bug in any hardware or software they immediately report it to the manufacturer and give them 90 days time to solve the problem. In this case Microsoft, the makers of the Windows 8.1 operating system failed to patch the vulnerability in time and Google made the details of the vulnerability public including the codes they used to exploit it.
Google’s team had found a bug on both 32 and 64-bit versions of Windows 8.1 update that allowed lower-level users to gain administrator access. The problem lies with a code in the system call NtApphelpCacheControl found in the ahcache.sys. The application compatibility data is normally editable by administrators but the bug in the aforementioned files can allow a lower level user to impersonate the administrator and edit the cache information. The researchers have #-Link-Snipped-# the exploit code and asked users to check this vulnerability themselves. Microsoft has released an official statement regarding the Elevation of Privilege issue and said that a patch will be released soon. It downplays the threat saying that an attacker would need to have login credentials and be physically present at the system to carry out the attack.
This development has caused an uproar in the software development market. While some applaud Google’s efforts others say that it was unfair to upload details about a vulnerability before it is patched by the manufacturer as this can be exploited on a large scale. Google argues that it had given sufficient time to Microsoft to address the issue but they failed to do so. Our question to readers is that, is it fair to disclose a vulnerability in a system publicly? If your answer if no then why and if yes, what is the proper way to do it? Post you comments below.
Source: #-Link-Snipped-#
Google’s team had found a bug on both 32 and 64-bit versions of Windows 8.1 update that allowed lower-level users to gain administrator access. The problem lies with a code in the system call NtApphelpCacheControl found in the ahcache.sys. The application compatibility data is normally editable by administrators but the bug in the aforementioned files can allow a lower level user to impersonate the administrator and edit the cache information. The researchers have #-Link-Snipped-# the exploit code and asked users to check this vulnerability themselves. Microsoft has released an official statement regarding the Elevation of Privilege issue and said that a patch will be released soon. It downplays the threat saying that an attacker would need to have login credentials and be physically present at the system to carry out the attack.
This development has caused an uproar in the software development market. While some applaud Google’s efforts others say that it was unfair to upload details about a vulnerability before it is patched by the manufacturer as this can be exploited on a large scale. Google argues that it had given sufficient time to Microsoft to address the issue but they failed to do so. Our question to readers is that, is it fair to disclose a vulnerability in a system publicly? If your answer if no then why and if yes, what is the proper way to do it? Post you comments below.
Source: #-Link-Snipped-#
0
