14 DAY TRIAL // A new vulnerability has been disclosed by Google to affect Windows 7 and 8.1, leaving the operating system exposed until next month, when Microsoft plans to deliver a fix.
Since Google started back in July 2014 its Project Zero group for hunting down zero-day vulnerabilities in different software, multiple flaws in Windows have been exposed under the 90-day disclosure policy.
Basically, Google gives vendors three months to solve the reported security issues or the problems become public. Until now, the security bug hunters at Google have disclosed multiple security weaknesses in Windows, all before Microsoft got a chance to push a fix to the users.
Data can be encrypted or decrypted by an attacker
The flaw touches on a function in the operating system called “CryptProtectMemory” that permits applications to encrypt memory for processes, as well as during the logon session.
At logon, the encryption key is issued based on the session identifier and can be used for sharing data between processes, allowing extraction of the logon session ID from the impersonation token, James Forshaw says in the post disclosing the vulnerability.
“The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section,” the researcher writes.
When making the Windows issue public, Forshaw also released a proof-of-concept (PoC) demonstrating that information disclosure is possible through exploitation of the flaw.
Information disclosure glitch remains unpatched for now
Present on both 32-bit and 64-bit architectures, the problem was reported to Microsoft on October 17, 2014. The company then confirmed on October 29 that its developers managed to reproduce the bug.
Microsoft intended to provide a patch to its customers on Tuesday this week, as part of the monthly security updates for all Windows versions currently maintained. Important to note is that the vulnerability had a disclosure date set for January 15.
However, the vendor announced Google that it would not be able to deliver a fix in January because compatibility trouble arose; as such, it would be delivered as part of next month’s security updates.
A three-month frame is generally sufficient for a software vendor to fix security bugs, but in the case of a large company like Microsoft, compatibility of the patch with different user configurations should not be ignored.