Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."

7 of 129 comments (clear)

  1. 90 days to fix by Anonymous Coward · · Score: 5, Insightful

    "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
    Really? They had 90 days to fix this. That is plenty of time.

    1. Re: 90 days to fix by O('_')O_Bush · · Score: 3, Insightful

      That really isn't Google or our problem. Attackers aren't going to politely wait for Microsoft to fix issues like this, and Microsoft won't fix issues like this unless they are pressed to. And this brings up the glaring flaw with closed source products. If a third party flagged an issue in an open source product, any user that is concerned enough could potentially fix it or patch their own systems themselves. With closed source, we have to wring our hands and wait for someone at Microsoft to care enough to fix it.

      --
      while(1) attack(People.Sandy);
    2. Re:90 days to fix by Anonymous Coward · · Score: 2, Insightful

      It is a user escalation vulnerability. These sort of vulnerabilities sometimes exist in Linux for months or years as well. They are generally considered less urgent to fix.

    3. Re:90 days to fix by hawguy · · Score: 4, Insightful

      I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.

      No one is "forced" to continue using MS products -- unless they signed a support contract for extended support, MS can't be held responsible for supporting legacy systems indefinitely. If you don't want to be stuck with a system running an unsupported operating system, then you can sign (and pay for) a long-term support contract throughout the life of your product, you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself, or you can plan on upgrading your product hardware/software to stay with currently supported software.

      I fail to see how Microsoft has any responsibility to support software for a hardware product that a manufacturer has decided not to keep current enough to run supported software. If the old HVAC system in your building relies on Windows 3.1 to keep it running, then maybe you ought to go after the vendor that sold it to you, if a replacement for the fan motor in your HVAC system is no longer available, you'd either retrofit to accept a current motor, or just upgrade the entire system, which is what you should do when the computer that controls it is no longer supported by current software.

  2. Grammar police alert by Anonymous Coward · · Score: 4, Insightful

    Undisclosed?

  3. Ha ha ha by drinkypoo · · Score: 4, Insightful

    The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.

    Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Poor choices to use proprietary cause this! by jones_supa · · Score: 4, Insightful

    While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

    It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.

    People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.