Round 2: Google Deadline Closes on Pair of Microsoft Vulnerabilities

Google Project Zero has disclosed a pair of unpatched Windows vulnerabilities after the expiration of its 90-day deadline. Microsoft said it will patch one bug in February, and both sides agree the second does not merit a security bulletin.

Two more unpatched Windows vulnerabilities on Thursday crossed into the public domain after the expiration of Google Project Zero’s self-imposed 90-day waiting period before disclosing bug details.

Microsoft will patch only one of the vulnerabilities—in the upcoming February Patch Tuesday security bulletin release—while both sides agree the second flaw is not a security issue.

The common ground is the only public pleasantry between the two technology giants of late. Google’s disclosure Dec. 29 of a privilege escalation vulnerability in Windows not only revived disclosure debates between security enthusiasts, but also ignited acrimony and public sniping between the two companies.

Microsoft went public with a statement promoting its philosophy of coordinated vulnerability disclosure while simultaneously revealing that it had asked Google to withhold its disclosure of the vulnerability until the January security bulletins, which were released this week. Google refused and went ahead with its disclosure.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” said Microsoft’s Chris Betz. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

On Thursday, another Project Zero disclosure expired; the more pressing of the Windows bugs is an impersonation check bypass with the CryptProtectMemory function. Google said that its implementation in CNG.sys doesn’t check the impersonation level of the token when capture a login session ID.

“Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first.”
-Microsoft spokesman

“A normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” Google’s James Forshaw wrote in the disclosure advisory. “This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.”

The advisory also includes a proof-of-concept exploit that triggers the vulnerability. Google reported the vulnerability to Microsoft on Oct. 17. According to a note in the advisory, Microsoft on Monday confirmed it had reproduced the issue and the security feature bypass. Another note on Thursday said Microsoft had planned to release a patch this week for the vulnerability but compatibility issues forced it to hold off and schedule it for February. Google’s deadline passed yesterday.

“We are not aware of any cyberattacks using the two cases publicly disclosed,” a Microsoft spokesman told Threatpost. “We’re working to address the first case, CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first.”

The second issue is an admin check bypass in the NtPowerInformation system call. The check is carried out before performing specific power functions.

“On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn’t take into account the impersonation level of the token and the rest of the code also doesn’t take it into account,” Forshaw wrote. “Therefore you can impersonate an administrator’s token as a normal user (through linked token or kidnapping a system token) and call the protected functions. On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it’s not vulnerable.”

Google said Microsoft informed its researchers that the issue was reproduced on Windows 7 and that it didn’t reach the threshold required to elevate it to “bulletin servicing;” the bug allows only limited information disclosure about power settings. Google agreed that it was not a critical security issue and released details and proof of concept.

Suggested articles