Follow Us on WhatsApp | Telegram | Google News

Google Disclose Another Vulnerability in Windows 8.1

Table of Contents
Earlier this month Google security team known as "Project Zero" have disclose the critical vulnerability on Windows 8.1 operating system and team have make it public before the software giants patched the vulnerability and leaves millions of users under threats.

Now once again Google Security team have disclose another critical Privilege Escalation bug on Windows 8.1 operating system. Team have disclose all the technical details of the  bug before it get patched by Microsoft, following its 90-day public disclosure deadline policy.

What is Google Project Team ?
Google Project Team is a new team with the Top Security Researcher that will research on the security threats, finding vulnerabilities and also other security threats. Chris Evans, who is the one to lead the Project Zero team.

Google Vs Microsoft
At the time, Microsoft criticized Google for disclosing the Windows 8.1 security flaw out in the public just before it was planing to fix it. According to Microsoft, the Windows 8.1 vulnerability disclosed by Google may have potentially exposed the users of the operating system to hackers.

As Microsoft had announced to fixed the bug of Windows 8.1 but after the announcement Google team had released another bug details  following its 90-day public disclosure deadline policy.

In November, Microsoft asked Google for an extension of the deadline till February 2015, when it plans to address the issue. However, the search engine giant refused. But later when Microsoft promised to address the vulnerability in January Patch Tuesday, Google still refused to extend its deadline even by two days.
In the blogpost senior director with Microsoft’s Security Response Center Chris Betz, wrote -
"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Betz,  "Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result."
Technical Details of second Vulnerability
Project Zero team have wrote that when a users log into a computer the User Profile Service is used to create certain directories and mount the user hives. So rather than loading the hives Google team recommend to create a base  profile directory under Privilege account to be secure as normal users requires administrator privileges to do so.
"However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile."- Google team wrote.

Read Also
Post a Comment