Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."

23 of 129 comments (clear)

  1. 90 days to fix by Anonymous Coward · · Score: 5, Insightful

    "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
    Really? They had 90 days to fix this. That is plenty of time.

    1. Re: 90 days to fix by O('_')O_Bush · · Score: 3, Insightful

      That really isn't Google or our problem. Attackers aren't going to politely wait for Microsoft to fix issues like this, and Microsoft won't fix issues like this unless they are pressed to. And this brings up the glaring flaw with closed source products. If a third party flagged an issue in an open source product, any user that is concerned enough could potentially fix it or patch their own systems themselves. With closed source, we have to wring our hands and wait for someone at Microsoft to care enough to fix it.

      --
      while(1) attack(People.Sandy);
    2. Re:90 days to fix by Anonymous Coward · · Score: 2, Insightful

      It is a user escalation vulnerability. These sort of vulnerabilities sometimes exist in Linux for months or years as well. They are generally considered less urgent to fix.

    3. Re: 90 days to fix by The+Fifth+Man · · Score: 2, Funny

      If only there were a way to communicate such bugs discovered in an open source piece of software to lots and lots of people. That way, many sets of eyes would surely see and then fix the issue and, in turn, communicate the fix and maybe distribute a binary for patching.

    4. Re:90 days to fix by Charliemopps · · Score: 2

      "The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
      Really? They had 90 days to fix this. That is plenty of time.

      You've never been through regression testing have you?

    5. Re:90 days to fix by hawguy · · Score: 4, Insightful

      I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.

      No one is "forced" to continue using MS products -- unless they signed a support contract for extended support, MS can't be held responsible for supporting legacy systems indefinitely. If you don't want to be stuck with a system running an unsupported operating system, then you can sign (and pay for) a long-term support contract throughout the life of your product, you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself, or you can plan on upgrading your product hardware/software to stay with currently supported software.

      I fail to see how Microsoft has any responsibility to support software for a hardware product that a manufacturer has decided not to keep current enough to run supported software. If the old HVAC system in your building relies on Windows 3.1 to keep it running, then maybe you ought to go after the vendor that sold it to you, if a replacement for the fan motor in your HVAC system is no longer available, you'd either retrofit to accept a current motor, or just upgrade the entire system, which is what you should do when the computer that controls it is no longer supported by current software.

    6. Re: 90 days to fix by guruevi · · Score: 2

      Really? Any coder able to find issues like this should be able to fix issues like this if they have the proper source code. Most issues are trivial to fix, substituting an unsafe call with a safe(r) call (eg. strcpy vs strncpy) is often enough to fix most issues.

      Sure there will be some side cases where it is really hard or there may be better solutions than your patch (eg. I recently found a bug in the MariaDB optimizer which leads to bad data being returned) but then at least if the product on top of it (CiviCRM and Drupal in my case) is also open source, at least I can modify the query to fit my needs even though both Drupal and CiviCRM people say 'not our problem'.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    7. Re: 90 days to fix by gweihir · · Score: 2

      Actually, for FOSS projects a single user that fixes it and submits a patch is enough for all users to have a patch. This is much more powerful and the reason fix-times are often measured in hours for well-done FOSS projects.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:90 days to fix by hawguy · · Score: 2

      you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself

      Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.

      Then you haven't applied enough money and/or pressure.

      I worked for a large VAR years ago that had access to the Windows source... I don't think they had the whole source tree, they couldn't do a full build, but they could get access to any module they needed.

      I worked for a another company that was the largest and most well known customer of an up and coming database company, they used our name heavily in marketing - we wanted source code escrow in case the DB company went under and we had to support it ourselves. after months of negotiation we couldn't come to an agreement, so we told them we were moving to a different product and engineering was actively porting over to the other product. In less than a month, that company capitulated and we had full access to their source code (not just escrow, we had live access to their source code repository).

      If you don't have enough money and/or pressure to get access to the source code, then you're accepting Microsoft's limited support window and shouldn't cry foul when Microsoft stops supporting your product.

  2. Grammar police alert by Anonymous Coward · · Score: 4, Insightful

    Undisclosed?

    1. Re:Grammar police alert by ceoyoyo · · Score: 2

      Google inadvertently reveals they have captured enough of the Internet to erase things from it.

  3. Ha ha ha by drinkypoo · · Score: 4, Insightful

    The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.

    Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Ha ha ha by nobuddy · · Score: 5, Informative

      People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
      Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.

    2. Re:Ha ha ha by Dutch+Gun · · Score: 5, Interesting

      Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority. They've taken reported security exploits seriously for a very long time now, and disclosing any vulnerability before a patch is deployed is absolutely irresponsible. It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.

      Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people... much more so than security issues that may not have even been seen in the wild yet (I saw no indication in the linked article that this was the case) - but now probably will since the attack is known. If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

      Sorry if I sound like an MS shill, but Google is really starting to piss me off with their high-handed attitude on stuff like this lately.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:Ha ha ha by robi5 · · Score: 2

      I've been laughing, reading your tongue-in-cheek humor until your last sentence... then realized that maybe you actually meant what you wrote...

    4. Re:Ha ha ha by drinkypoo · · Score: 2

      Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people

      So, get to the part where it's google's fault that Microsoft is too incompetent to take security seriously?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. A victim of applications and history by Junta · · Score: 2, Informative

    This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

    MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

    To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:A victim of applications and history by ceoyoyo · · Score: 4, Informative

      You should type "man sudo" sometime.

  5. Re:Poor choices to use proprietary cause this! by halivar · · Score: 3

    While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

    The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.

  6. Re:Poor choices to use proprietary cause this! by plover · · Score: 2, Informative

    Let's see how that plays out in the Open Source world:
    Step 0: discover exploitable vulnerability in Linux kernel random number generator.
    Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
    Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
    Step 3: publicly post details of exploit
    Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
    Step 5: wait for it ...
    Step 6: enjoy your now-patched system.

    I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.

    --
    John
  7. Re:Poor choices to use proprietary cause this! by jones_supa · · Score: 4, Insightful

    While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

    It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.

    People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

  8. Re:Let's be honest by gatkinso · · Score: 4, Informative

    For a long time I thought that... then I actually tried Windows 8.1.

    It is not bad actually, and far better than 7 in every way that I can tell.

    --
    I am very small, utmostly microscopic.
  9. Re:Let's be honest by gatkinso · · Score: 4, Interesting

    Boots faster. Is more stable. Uses less memory resources. Windows networking seems to work better. Seemless integration with the kids XBox.

    I seem to have much more luck developing drivers on 8.1 as well - far less error check screens (more a function of me learning the DDK), also at the user level ETW seems rather more robust. Windbg also seems to be more stable when running on 8.1.

    Also, I like the UI better (on the desktop) - I largely ignore the metro screen or whatever it is called.

    --
    I am very small, utmostly microscopic.