Google is criticised for publishing a flaw in in Windows 8.1 that could allow an attacker to give themselves admin privileges
A flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges has been described by Google’s Project Zero security team.
The vulnerability was apparently reported to Microsoft privately on September 30 but was made public 90 days later because the bug has still not been fixed, presumably in the hope that it would pressure Microsoft into releasing an update.
However this approach has divided opinion within the security community, with many arguing that the publication of a still unpatched flaw could expose Windows 8.1 users to unnecessary risk. Security expert Graham Clulely said Google had effectively published a ‘proof of concept’ that could be used to malicious hackers to launch attacks on affected systems.
Windows 8.1 flaw
“Fortunately, Microsoft has pointed out that the security flaw uncovered by Google’s researchers isn’t of the highest severity,” he said. “To exploit the bug, an attacker would need to have valid logon credentials and be able to log on locally to a targeted machine. But it’s still easy to imagine a disaffected employee using the bug to cause mayhem if they so wished.
“If you want to apply pressure on a software vendor who you believe is taking too long to fix a security flaw, don’t release blueprints of how to exploit the vulnerability onto the internet. Instead, go to any technical journalist who works on the security beat. They’ll be happy to have the flaw demonstrated to them, and then responsibly report that the bug still hasn’t been fixed.”
It has been suggested that Microsoft may have taken its time releasing an update because of complications with a number of recent patches that have introduced new bugs into Windows. The MS14-045 patch made available in August caused the dreaded Blue Screen of Death to appear for many users, while ‘unspecified user issues’ caused a fix for Windows 7 and Windows Server 2008 to be pulled in October.
“While 90 days may be long enough to fix flaws found in many pieces of software, we can’t say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “It can’t risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.
“It’s too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn’t cause more security holes further down the line.”
How well do you know the history of Windows? Take our quiz!