Microsoft planned release of a fix on Patch Tuesday, two days after the date set by Google for making the bug public

Jan 12, 2015 22:57 GMT  ·  By

Security researchers at Google discovered a new elevation of privilege vulnerability affecting Windows 8.1, and revealed it to the public before Microsoft managed to release a patch.

If exploited, the vulnerability enables a lower privilege account to increase its rights on the machine in order to perform operations restricted to administrators.

This is not a critical problem on its own, but it can prove to be a valuable asset for an attacker who has exploits for flaws that could ultimately lead to taking control of the machine.

Bug is present at each log-in

When logging into Windows as a standard user, the User Profile Service is required to create the directory base profile under C:\Users for the account and to mount the registry hives with the user’s permission level.

In the case of an administrator user, only the directory base profile needs to be created because mounting the registry hives with the assigned permissions is already possible.

However, Google security researcher James Forshaw discovered that “the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through,” and that the “resources created while impersonating Local System might be exploitable to elevate privilege.”

He stresses the fact that the bug occurs at each user log-in and it is not part only of the initial process of creating a local profile.

Microsoft had three months to fix the problem

Forshaw identified several problems, one of them standing out as more serious. It refers to how the UsrClass.dat registry hive is handled and it is also present in Windows 7.

“The profile service queries for the location of AppData\Local from the user’s registry hive, then tries to create the Windows folder and UsrClass.dat file. By creating a new folder structure, changing the user's shell folders registry key and placing a junction in the hierarchy you can get this process to open any other UsrClass.dat file on the system, assuming it isn't already loaded,” he wrote in the vulnerability disclosure.

Google reported the elevation of privilege flaw to Microsoft on October 13, 2014, informing the company that there was a disclosure date set for January 11, 2015.

Google followed through with their disclosure policy, which gives companies 90 days to come up with a fix, and made the bug public on Sunday, also providing a proof-of-concept batch file that demonstrates one of the issues discovered.

Patch becomes available on Patch Tuesday

After confirming the vulnerability, Microsoft communicated to Google that it would be ready to ship a patch in February 2015.

The reply was that an extension would not be granted, regardless of the software vendor or the nature of the glitch, resulting in making it public at the set date.

Microsoft then responded that the problem would be solved in January 2015. However, the update cycle for Windows is scheduled for the second Tuesday of each month, known as Patch Tuesday, which in this case meant that the date was just two days after the deadline imposed by Google.

Needless to say that Microsoft took offense at this behavior from Google. Chris Betz, senior director at Microsoft Security Response Center (MSRC), says that the customers are the ones who may suffer as a result of Google’s inflexibility when it came to delay the disclosure of the vulnerability details until the patch was pushed to consumers.