Monday 5 January 2015

Google lights the fuse on a Microsoft time-bomb

As the first post of the year, I wonder if this entry will set the tone for 2015. That is, one company publishing another company's security vulnerabilities before they can be fixed - potentially exposing us users.

Google, through it Project Zero program has published a Windows 8.1 vulnerability that allows certain users to gain administrative privileges through an elevation of privileges attack.  Google has a 90-day embargo policy where if it discovers a bug, it will notify the affected vendor and give them 90 days to respond (i.e. fix the bug or close the security hole).  If the company (in this case Microsoft) does not respond in time, then Google will publish the vulnerability with a sample exploitation. 

Reading from the code example given on Google's development site, you can follow these steps yourself;
  1. Put the AppCompatCache.exe and Testdll.dll on disk
  2. Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables). 
  3. Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll". 
  4. If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run. 
There are a number of opinions about this kind approach to security. Google has the following to say about this;
"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security — it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face..."
To be fair, Google is not just researching vulnerabilities in Microsoft products, it is targeting Apple as well. However, what Google has done here, is to set a time-bomb. Once the vulnerability has been published by Google, then the bug will automatically be released 90-days after. Regardless of the impact or the effort from the affected vendor. If the issue is fixed, fine. If not, then you can add this to your list of worries.

However, as a user who is now more exposed and potentially compromised by this security issue, I feel a little less comfortable with this approach. In this case, it's not what Microsoft didn't do, its what Google has done.

You can read the specifics about this issue here

1 comment:

Chris Jackson said...
This comment has been removed by the author.