Google’s Project Zero research team has revealed a bug in Windows 8.1. Project Zero team was set up last year by Google to improve security across the Internet and root out bugs in widely used software. The bug that was found that could give low level user’s administration right and also access to sensitive server functions by an elevation of privileges that they would normally have no right to.
Project Zero initially discloses flaws privately to the firms responsible for the vulnerable systems and gives them a 90-day deadline to release a fix before making the research public. Since the 90 days had elapsed The Project Zero team revealed the bug so that millions of Windows users can take countermeasures until a patch is released. Full details of the bug can be found here.
A member of Project Zero released the following statement. “Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the “Reported” label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.”
“Project Zero’s disclosure deadline policy has been in place since the formation of our team earlier in 2014. It’s the result of many years of careful consideration and industry-wide discussions about vulnerability remediation. Security researchers have been using roughly the same disclosure principles for the past 13 years (since the introduction of “Responsible Disclosure” in 2001), and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy”.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner and to exercise their power as a customer to request an expedited vendor response”.
“With that said, we’re going to be monitoring the effects of this policy very closely – we want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security. We’re happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors”.
Microsoft also released the following statement “We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”
Microsoft normally release patches on Patch Tuesday which is the second Tuesday of each month and the next one is next Tuesday. They have also not mentioned if there will be a fix ready for this month’s Patch Tuesday and I guess we will just have to wait and see.