by Michael Mimoso January 2, 2015 , 11:40 am
Google’s Project Zero has disclosed the details of an unpatched Windows vulnerability reported to Microsoft in September.
The disclosure was made on Monday upon the expiration of 90-day waiting period imposed by Google researchers. Microsoft has yet to patch the Windows 8.1 vulnerability that would allow a hacker to elevate their privileges on an affected computer to gain administrator access.
A request for comment from Microsoft was not returned in time for publication. Microsoft’s next set of Patch Tuesday security bulletins are scheduled to be released Jan. 13.
Full Article
Unpatched Windows Privilege Elevation Vulnerability Details Disclosed
+54
By Alan Buckingham
When you are the top anything in this world it not only brings fame or notoriety, but it also provides a target. In the case of Microsoft's Windows, it has become the bullseye that bad guys aim for. Sometimes it's the bad guys who get there first, sometimes it's the security researchers who report the issues. In the latest case, it was thankfully the good guys.
The problem with this flaw is that it would allow a bad guy to bypass authentication on a system by using a generated token. Worse, while the flaw isn't part of User Account Control, the proof of concept released does use this part of Windows.
The demonstration, when successful, launches the Windows Calculator and it's running in administrator mode. "If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from [step] 3, there seems to be a caching/timing issue sometimes on first run", the report states.
full article
When you are the top anything in this world it not only brings fame or notoriety, but it also provides a target. In the case of Microsoft's Windows, it has become the bullseye that bad guys aim for. Sometimes it's the bad guys who get there first, sometimes it's the security researchers who report the issues. In the latest case, it was thankfully the good guys.
The problem with this flaw is that it would allow a bad guy to bypass authentication on a system by using a generated token. Worse, while the flaw isn't part of User Account Control, the proof of concept released does use this part of Windows.
The demonstration, when successful, launches the Windows Calculator and it's running in administrator mode. "If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from [step] 3, there seems to be a caching/timing issue sometimes on first run", the report states.
full article
+54Windows 8.1 Vulnerability Unfixed After 90 Days, Google Says
By Mathew J. Schwartz, January 5, 2015.
Microsoft says it's prepping a patch for a vulnerability that exists in Windows 8.1 - and possibly other versions of Windows - that was recently disclosed by Google. The bug report has triggered both praise and condemnation for the 90-day deadline Google gives vendors to patch flaws before it publicly releases full details of a bug.
Microsoft says the flaw spotted by Google's researchers could facilitate a privilege-escalation attack, thus giving an attacker administrator-level access to a system, which could allow them to bypass some security controls and execute malicious code. "We are working to release a security update to address an elevation of privilege issue," Microsoft says in a statement.
Full Article
Personally I think that Google's 90 day disclosure policy or should that really be labelled 'You have 90 days until we disclose for you if you have not by then' policy...stinks, despite what they say about it being about openess on the web.
They are not helping anyone at all by having it and in fact come across as rather arrogant and imperious...but then again, that is Google for you, IMHO. ;)
Baldrick
They are not helping anyone at all by having it and in fact come across as rather arrogant and imperious...but then again, that is Google for you, IMHO. ;)
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.