Google has publicly disclosed another serious flaw in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch – much to the chagrin of the software giant.
It follows an earlier claim over vulnerabilities in Microsoft’s operating systems, which Google claims Microsoft failed to fix despite being given three months to do so before it publicly disclosed the flaw.
The newly publicised bug was found by James Forshaw, who also discovered a “privilege elevation flaw” in Windows 8.1, which was disclosed earlier this week – drawing fire from Microsoft.
The latest bug is described as a “CryptProtectMemory memory-encrypting function” and has been made public under Google’s own Project Zero terms, which give a software provider 90-days to fix identified flaws before the company goes public with them.
Google argues that software vendors need to be pressured to fix security flaws because they may also be identified and exploited by people and organisations with more nefarious intent.
Forshaw described the flaw as follows: “When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag), the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another, it supports extracting the logon session ID from the impersonation token.
“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session.
“This behaviour of course might be design; however, not having been party to the design, it’s hard to tell.”
Forshaw claims he discovered the bug on 17 October, but Microsoft says that it has been unable to fix the bug in the time-frame given because of compatibility issues.
Microsoft has responded angrily to the disclosures, which it says undermine the security of its software while it works to fix the problems.
In response to Google’s first disclosure, Chris Betz, a senior director at Microsoft’s Security Response Center, wrote in his first-ever blog post: “We asked Google to work with us to protect customers by withholding details [on CVE-2015-0004] until Tuesday, January 13, when we will be releasing a fix.”
He continued: “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Betz added that when vulnerabilities are publicly disclosed, it radically increases the risk of an exploit being developed to take advantage. “Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cyber-criminals more frequently orchestrating attacks against those who have not or cannot protect themselves,” he claimed.