A flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges has been described by Google’s Project Zero security team.
The vulnerability was apparently reported to Microsoft privately on September 30 but was made public 90 days later because the bug has still not been fixed, presumably in the hope that it would pressure Microsoft into releasing an update.
However this approach has divided opinion within the security community, with many arguing that the publication of a still unpatched flaw could expose Windows 8.1 users to unnecessary risk. Security expert Graham Clulely said Google had effectively published a ‘proof of concept’ that could be used to malicious hackers to launch attacks on affected systems.
“If you want to apply pressure on a software vendor who you believe is taking too long to fix a security flaw, don’t release blueprints of how to exploit the vulnerability onto the internet. Instead, go to any technical journalist who works on the security beat. They’ll be happy to have the flaw demonstrated to them, and then responsibly report that the bug still hasn’t been fixed.”
It has been suggested that Microsoft may have taken its time releasing an update because of complications with a number of recent patches that have introduced new bugs into Windows. The MS14-045 patch made available in August caused the dreaded Blue Screen of Death to appear for many users, while ‘unspecified user issues’ caused a fix for Windows 7 and Windows Server 2008 to be pulled in October.
“While 90 days may be long enough to fix flaws found in many pieces of software, we can’t say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “It can’t risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.
“It’s too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn’t cause more security holes further down the line.”
How well do you know the history of Windows? Take our quiz!
New chapter for famous name from Internet's early days, Napster, has been acquired and will…
Solving not-spots? Ofcom proposal to make UK the first European country to allow ordinary smartphones…
Pioneering robotaxi service from Alphabet's Waymo to go live in Washington DC next year, as…
Dozens of Chinese firms added to US export blacklist, in order to hamper Beijing's AI…
Chinese rival BYD overtakes global revenues of Elon Musk's Tesla, as record number of Tesla…
Messaging app Signal in the headlines after a journalist was invited to a top secret…
View Comments
Hardly a risk to most companies, if the attacker (user in this case) has valid logon credentials and physical access to the machine - then they can do a lot worse anyway! Storm in a tea cup by Google and reflects badly on them!