Google under fire over Windows zero-day disclosure

Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft had released a security update

Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft had released a security update.

A researcher in Google's Project Zero group discovered a flaw in Windows 8.1 that can allow attackers to escalate privileges to the level of administrator to gain complete control of a targeted computer.

Project Zero was launched by Google in July 2014 to improve global cyber security by identifying and disclosing security vulnerabilities first to software suppliers, then publically within 90 days.

Google reported the flaw to Microsoft, but released functioning exploit code before Microsoft was able to release the patch it is working on.

According to Google, the flaw exists at least in the 32-bit and 64-bit versions of Windows 8.1. This affects 9.5% of all desktops and laptops, according to December 2013 figures from market research firm NetMarketShare.

Initially, Microsoft was criticised for failing to release a patch within Google’s 90-day deadline aimed at putting pressure on software makers to respond to its vulnerability reports.

But now Google’s 90-day deadline has come under fire for exposing Windows 8.1

More on responsible disclosure

  • Dutch government publishes security flaw disclosure guide
  • Microsoft seeks true 'responsible' vulnerability disclosure
  • Microsoft calls for responsible disclosure of security flaws
  • Is a full vulnerability disclosure strategy a responsible approach?
  • Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard

 users to potential attacks unnecessarily.

Although response to the news has been mixed, most comments on the Google bug report express concerns about the automatic application of the 90-day rule.

“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google,” wrote one commenter on Google’s bug report.

“While 90 days may be long enough to fix flaws found in many pieces of software, we can't say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at security firm Malwarebytes

“Microsoft cannot risk introducing more vulnerabilities or flat out breaking key components by rushing a fix, but now it is under some visible pressure to tackle the problem one would hope the eventual patch does not cause more security holes further down the line,” he said.

Independent security consultant Graham Cluley said if Google had waited until Microsoft had released a patch for the problem, only then could it be argued it was acceptable for the Google Project Zero team to release details of the vulnerability. 

“But Google knew that Microsoft hadn’t yet released a patch (heck, you can’t blame them for not rushing after the buggy security patches that have come out of Redmond recently), and yet it felt it was reasonable to release proof of concept which malicious hackers could use as a basis for their own attacks,” he wrote in a blog post.

Security flaw not of the highest severity

However, Cluley noted that fortunately the security flaw uncovered by Google’s researchers is not of the highest severity. 

According to Microsoft, an attacker would “need to have valid log-on credentials and be able to log on locally to a targeted machine” to exploit the flaw.

Nonetheless, Cluely said it is still easy to imagine a disaffected employee at any organisation using the bug to cause mayhem if they so wished.

Instead of publishing exploit code that anyone can use, he said Google should have instead kept up the pressure on Microsoft to fix the vulnerability by going to the media.

“There’s a right way and a wrong way to raise awareness of zero-day security holes that haven’t been patched yet,” said Cluley.

“Google – the company which famously has the policy of ‘don’t be evil’ – is going about it the wrong way, and potentially putting many of us at risk,” he said.

Network-connected systems leave enterprise vulnerable

Ethics aside, the Windows 8.1 flaw underlines that in modern enterprise network-connected systems, local exploits have enterprise-wide implications, said chief evangelist at security analytics firm RedSeal, Steve Hultquist.

We want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security

Google Project Zero team member

“Because systems are networked together, a vulnerability allowing the escalation of privilege can provide authorisation allowing administrative activities across the network, depending on how the specific applications are designed, how the network is connected and more,” he said.

According to Hultquist, tracking down these consequences across a modern network requires automated analysis of a broad range of complex systems and devices, ad-hoc queries to determine the implications of issues such as this one, and engineering to limit the impact.

“Having an accurate model of the network is a critical component of defence against this and other unexpected zero-day issues,” he said.

Although Microsoft has confirmed it is working on a security update to fix the vulnerability, there has been no indication of when the company expects to make it available to users of Windows 8.1.

The software company is also yet to confirm whether the flaw is confined to Windows 8.1 or affects other versions of its operating system as well.

Responding to criticism of the 90-day deadline, a Project Zero team member said the policy is the “result of many years of careful consideration and industry-wide discussions about vulnerability remediation”.

He said while the researchers believe their current policy provides the “optimal approach for user security”, they are monitoring the effects of the policy closely. 

"We want our decisions here to be data-driven, and we're constantly seeking improvements that will benefit user security," he wrote in a blog post.

Read more on Hackers and cybercrime prevention