Google Finds More Windows Vulnerabilities
Google has made public information on two more Windows flaws -- both found in Windows 7 and Windows 8.1.
Once again coming out of Google's Project Zero, the company's dedicated team working towards finding vulnerabilities that could lead to online targeted attack, the information on the two flaws was released over the weekend. The disclosures come on the heels of Microsoft criticizing Google over the manner in which it alerts the public to bugs.
The first, and most severe, is a bug found in a Windows 7 and 8.1 feature called CryptProtectMemory that could allow encrypted memory to be unencrypted if a user login was spoofed. Google said the issue lies with the initial login session.
"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session," wrote a Project Zero researcher in a blog post. "This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section."
The second issue resides only in Windows 7 and could allow someone with admin rights to access specific power functions with the use of an impersonated login token. In Windows 8 and 8.1, the feature in question, NtPowerInformation, checks to see if the token is spoofed before logging in.
If you think this flaw doesn't quite sound like a high-priority security issue, Google researchers agree. "It isn't clear if this has a serious security impact or not, therefore it's being disclosed as is," wrote Google. "Some functions are also checked by a privilege check, however the subject context is captured separately so there exists a TOCTOU window between checks which could be exploited."
Along with a breakdown of the two flaws, Google also released proof-of-concept code to easily replicate the issues. Both flaws were privately disclosed to Microsoft on Oct. 17, 2014 and Google waited the 90-day disclosure period before releasing the information. As for the first flaw, Google said that Microsoft wanted to include a fix with the January patch, but compatibility issues have pushed the release back to February. Microsoft also said that the second issue is not "considered serious enough for a bulletin release," according to Google.
While Microsoft did not comment on whether or not it asked Google to hold onto information in the wake of an upcoming fix, as it did with Google's earlier Windows 8.1 flaw disclosure, a company spokesperson did issue the following statement. "We are not aware of any cyberattacks using the CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first. We continue to believe that security researchers should engage with software companies to privately disclose vulnerabilities and work together to further protect customers."