Nearly three months after the group's creation, Google's “Project Zero” team discovered an elevation of privilege flaw in Windows 8.1, and 90 days after disclosing it to Microsoft, the researchers have detailed the vulnerability online.
The flaw is in NtApphelpCacheControl, a function that is used for caching application compatibility information, and could be used to bypass user account control and allow a malicious application to act as an administrator, Sophos wrote in its security blog. The flaw can only be exploited if a device has already been compromised, however.
Although Google gave Microsoft 90 days to effectively patch the flaw, the Windows creator did not release a fix during that time period. Chris Boyd, malware intelligence analyst at Malwarebytes, said in a prepared comment to SCMagazine.com that the tech company might have needed more time to fix the issue.
“While 90 days may be long enough to fix flaws found in many pieces of software, we can't say for certain what Microsoft would have to do behind the scenes to address this issue,” Boyd said. “It can't risk introducing more vulnerabilities or break key components by rushing a fix.”
Meanwhile, Google's page detailing the vulnerability filled with comments from users who said this flaw's exposure could impact billions and its release would ultimately harm Windows users, as opposed to helping push Microsoft to issue a patch.
For its part, a Microsoft spokesperson said the company is working to release a security update and reminds users to remain vigilant on security practices.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,” the spokesperson said in an email to SCMagazine.com. “We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer.”
Google didn't respond to a SCMagazine.com request for comment.
Microsoft's next Patch Tuesday is next week, on January 13.