Google Makes Windows 8.1 Vulnerability Details Public After Microsoft Fails To Patch It In Time
Google researchers have went ahead and posted details about a Windows 8.1 vulnerability after the 90 days deadline it gave to Microsoft ended just days before new year eve. Google’s secret security research team, Project Zero had discovered this vulnerability way back in September 2014. According to team’s guidelines, once they find a bug in any hardware or software they immediately report it to the manufacturer and give them 90 days time to solve the problem. In this case Microsoft, the makers of the Windows 8.1 operating system failed to patch the vulnerability in time and Google made the details of the vulnerability public including the codes they used to exploit it.
Google’s team had found a bug on both 32 and 64-bit versions of Windows 8.1 update that allowed lower-level users to gain administrator access. The problem lies with a code in the system call NtApphelpCacheControl found in the ahcache.sys. The application compatibility data is normally editable by administrators but the bug in the aforementioned files can allow a lower level user to impersonate the administrator and edit the cache information. The researchers have #-Link-Snipped-# the exploit code and asked users to check this vulnerability themselves. Microsoft has released an official statement regarding the Elevation of Privilege issue and said that a patch will be released soon. It downplays the threat saying that an attacker would need to have login credentials and be physically present at the system to carry out the attack.
This development has caused an uproar in the software development market. While some applaud Google’s efforts others say that it was unfair to upload details about a vulnerability before it is patched by the manufacturer as this can be exploited on a large scale. Google argues that it had given sufficient time to Microsoft to address the issue but they failed to do so. Our question to readers is that, is it fair to disclose a vulnerability in a system publicly? If your answer if no then why and if yes, what is the proper way to do it? Post you comments below.
Source: #-Link-Snipped-#
Google’s team had found a bug on both 32 and 64-bit versions of Windows 8.1 update that allowed lower-level users to gain administrator access. The problem lies with a code in the system call NtApphelpCacheControl found in the ahcache.sys. The application compatibility data is normally editable by administrators but the bug in the aforementioned files can allow a lower level user to impersonate the administrator and edit the cache information. The researchers have #-Link-Snipped-# the exploit code and asked users to check this vulnerability themselves. Microsoft has released an official statement regarding the Elevation of Privilege issue and said that a patch will be released soon. It downplays the threat saying that an attacker would need to have login credentials and be physically present at the system to carry out the attack.
This development has caused an uproar in the software development market. While some applaud Google’s efforts others say that it was unfair to upload details about a vulnerability before it is patched by the manufacturer as this can be exploited on a large scale. Google argues that it had given sufficient time to Microsoft to address the issue but they failed to do so. Our question to readers is that, is it fair to disclose a vulnerability in a system publicly? If your answer if no then why and if yes, what is the proper way to do it? Post you comments below.
Source: #-Link-Snipped-#
Replies
-
Anoop MathewMicrosoft was once on top, now Google just took a stab at it.
To be fair: Every dog has a day!
To Google: Pride comes before ____. -
[Prototype]That was pretty dick move by Google to be honest. They are no one to give ultimatum. Okay they found a flaw and reported. That's just a nice gesture from them. Doesn't mean they regulate the way other company works. It's straight blackmailing.
At the end of the day, it'll be the users who will be suffering. Their systems are going to be exploited. The blame may be on the head of the Microsoft but the ultimate loss will be of user. Their data will be compromised and it won't matter who's responsible for it. -
micheal johni think 90days for patch was a good deal
-
Paul Steffen
Totally utter BS! Microsoft software is unfortunately used in mission critical systems and when Microsoft is given word about serious bugs and refuses to fix it, serious things occur (see: #-Link-Snipped-# and many others).[Prototype]That was pretty dick move by Google to be honest. They are no one to give ultimatum. Okay they found a flaw and reported. That's just a nice gesture from them. Doesn't mean they regulate the way other company works. It's straight blackmailing.
Security exploits are a bit like a bacterial virus - they work best on homogeneous systems, large numbers of machines running that exact same version of the code unchanged for a long time. Even if they're memory exploits, normal code maintenance/recompiles can thwart that. Flatly ignoring a known exploit is a total dickmove and what Google did was absolutely necessary. -
Satya Swaroop DashHere is the Microsoft’s reply about this issue, #-Link-Snipped-#
In short the company calls for a better system of informing flaws and says that Google’s decision was less about consumer safety and more about “gotchaâ€. -
Jatin Kumar90 days was a fair time ,if they haven't may be some body else have ,and it will come in front of the user like heartbleed after there system been compromised, it may look like gotcha moment from microsoft view but what google does was absolutely neccesary
You are reading an archived discussion.
Related Posts
With days to go for Consumer Electronics Show 2015, Alcatel OneTouch has announced its CES launches. The company has sent out a press release teasing its new smartphone and smartwatch...
Hyundai has announced the launch of the smartwatch version of its Blue Link app which will let users control specific functions of their cars with the help of any Android...
Western Digital Corporation popularly known as WD has announced that it will showcase its new 4 TB hybrid hard drive at Storage Visions 2015 that will be held from January...
(From Washington Post)
Words are superfluous. Sort of literal 'Icing on the cake'.
https://www.washingtonpost.com/blogs...nyon-into-winter-wonderland-photos/?tid=sm_fb
A curious Twitter user has managed to unearth details about Twitter’s upcoming video service. The Twitter user in question is Daniel Raffel and he managed to land on the Twitter...