Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."

A victim of applications and history

[Junta]

This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

Re:A victim of applications and history

[ceoyoyo]

You should type "man sudo" sometime.

Re:Poor choices to use proprietary cause this!

[plover]

Let's see how that plays out in the Open Source world:
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
Step 5: wait for it ...
Step 6: enjoy your now-patched system.

I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.

Re:Let's be honest

[gatkinso]

For a long time I thought that... then I actually tried Windows 8.1.

It is not bad actually, and far better than 7 in every way that I can tell.

Re:Ha ha ha

[nobuddy]

People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.