Update: Google’s Project Zero has disclosed the details of an unpatched Windows vulnerability reported to Microsoft in September.
The disclosure was made on Monday upon the expiration of 90-day waiting period imposed by Google researchers. Microsoft has yet to patch the Windows 8.1 vulnerability that would allow a hacker to elevate their privileges on an affected computer to gain administrator access. Microsoft’s next set of Patch Tuesday security bulletins are scheduled to be released Jan. 13.
“We are working to release a security update to address an elevation of privilege issue,” a Microsoft spokesman told Threatpost. “It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine.”
Google researcher James Forshaw said the NtApphelpCacheControl system call, which allows for quick caching of application data, contains a vulnerability in which a user’s impersonation token is not checked properly to determine if the user is an administrator.
“It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” Forshaw wrote in an advisory on the Google vulnerability database. “For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”
Forshaw said he wasn’t sure whether Windows 7 was vulnerable to the same bug because of an existing privilege check, but cautioned that it could be bypassed. His proof-of-concept exploit code was tested only on Windows 8.1 update, 32- and 64-bit versions.
Microsoft has yet to patch the Windows 8.1 vulnerability that would allow a hacker to elevate their privileges.
Tweet
A request for additional comment from Forshaw was not returned in time for publication. This is not the first such disclosure made by Project Zero. In late November, Forshaw disclosed an Adobe Acrobat and Reader 11 sandbox escape on Windows systems. The bug was reported to Adobe on Aug 27 and publicly disclosed by Google on Nov. 26 after the passing of its 90-day deadline. Adobe patched the vulnerability nine days after its public disclosure.
The research team’s disclosure policy has been public since Project Zero was announced in July.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security—it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” said Google researcher Ben Hawkes. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
This article was updated at noon E.T. with a comment from Microsoft.