Google Exposes Windows 8.1 Security Flaw

A flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges has been described by Google’s Project Zero security team.

The vulnerability was apparently reported to Microsoft privately on September 30 but was made public 90 days later because the bug has still not been fixed, presumably in the hope that it would pressure Microsoft into releasing an update.

However this approach has divided opinion within the security community, with many arguing that the publication of a still unpatched flaw could expose Windows 8.1 users to unnecessary risk. Security expert Graham Clulely said Google had effectively published a ‘proof of concept’ that could be used to malicious hackers to launch attacks on affected systems.

Windows 8.1 flaw

“Fortunately, Microsoft has pointed out that the security flaw uncovered by Google’s researchers isn’t of the highest severity,” he said. “To exploit the bug, an attacker would need to have valid logon credentials and be able to log on locally to a targeted machine. But it’s still easy to imagine a disaffected employee using the bug to cause mayhem if they so wished.

“If you want to apply pressure on a software vendor who you believe is taking too long to fix a security flaw, don’t release blueprints of how to exploit the vulnerability onto the internet.  Instead, go to any technical journalist who works on the security beat.  They’ll be happy to have the flaw demonstrated to them, and then responsibly report that the bug still hasn’t been fixed.”

It has been suggested that Microsoft may have taken its time releasing an update because of complications with a number of recent patches that have introduced new bugs into Windows. The MS14-045 patch made available in August caused the dreaded Blue Screen of Death to appear for many users, while ‘unspecified user issues’ caused a fix for Windows 7 and Windows Server 2008 to be pulled in October.

“While 90 days may be long enough to fix flaws found in many pieces of software, we can’t say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “It can’t risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.

“It’s too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn’t cause more security holes further down the line.”

How well do you know the history of Windows? Take our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

View Comments

  • Hardly a risk to most companies, if the attacker (user in this case) has valid logon credentials and physical access to the machine - then they can do a lot worse anyway! Storm in a tea cup by Google and reflects badly on them!

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

17 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

17 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

18 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

20 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

23 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

23 hours ago