A Google researcher has disclosed an unpatched vulnerability in Windows 8.1 after Microsoft didn’t fix the problem within a 90-day window Google gave its competitor.The disclosure of the bug on Google’s security research website early this week stirred up a debate about whether outing the vulnerability was appropriate.
The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.
The vulnerability resides in the function AhcVerifyAdminContext, an internal function and not a public API which actually checks whether the user is an administrator.
Forshaw tested the PoC on Windows 8.1 update, both 32 bit and 64 bit versions, and he recommended users to run the PoC on 32 bit. To verify perform the following steps:
- Put the AppCompatCache.exe and Testdll.dll on disk
- Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
- Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:windowssystem32ComputerDefaults.exe testdll.dll”.
- If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
Google’s 90-day deadline for fixing bug is “the result of many years of careful consideration and industry-wide discussions about vulnerability remediation,” the company said. “Security researchers have been using roughly the same disclosure principles for the past 13 years … and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.”
Google will monitor the effects of its policy closely, the company added. “We want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security,”