Google has once again released the details of a new privilege escalation bug in Microsoft's Windows 8.1 operating system before Microsoft planned to patch the bug, triggering a new quarrel between the two tech giants.
This is second time in less than a month when the Google’s security research team known as Project Zero released details of the vulnerability in Microsoft’s operating system, following its 90-day public disclosure deadline policy.
Google Project Zero team routinely finds vulnerabilities in different products from different companies. The vulnerabilities then get reported to the affected software vendors and if they do not patch the flaws in 90 days, Google automatically makes the vulnerability along with its details public.
DISCLOSURE OF TWO SECURITY HOLES IN LESS THAN A MONTH
Two weeks back, Google Project Zero team disclosed details of an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that may have allowed hackers to modify contents or even to take over victims' computers completely, leaving millions of users vulnerable.
At the time, Microsoft criticized Google for disclosing the Windows 8.1 security flaw out in the public just before it was planing to fix it. According to Microsoft, the Windows 8.1 vulnerability disclosed by Google may have potentially exposed the users of the operating system to hackers.
However, releasing details with the proof of concept for the second security hole in Microsoft’s Windows 8.1 just two days before Microsoft planned to patch the bug indicates that Google project zero is determined to stick to its 90-day deadline for fixing software flaws.
MICROSOFT vs GOOGLE
Though, Microsoft is very upset with 90-day disclosure deadline enforced by Google’s Project Zero team. The team notified the new elevation of privilege flaw to Microsoft on 13 October.
In November, Microsoft asked Google for an extension of the deadline till February 2015, when it plans to address the issue. However, the search engine giant refused. But later when Microsoft promised to address the vulnerability in January Patch Tuesday, Google still refused to extend its deadline even by two days.
"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Chris Betz, senior director with Microsoft’s Security Response Center, in a blog post Sunday. "Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result."
TECHNICAL DETAILS OF THE NEW EoP FLAW
According to Google’s security team, User Profile Service is used to create certain directories and mount the user hives as soon as a user logs into a computer. Other than loading the hives, the base profile directory is created under a privileged account, which is secure because normal user requires administrator privileges to do so.
"However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through," Google said. "Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile."
A proof-of-concept (PoC) demonstrating the attack on Microsoft’s Windows 8.1 operating system has been published, but experts have confirmed that the vulnerability also affects Windows 7.