A security researcher at Google has published details of an as-yet unpatched vulnerability in Windows 8.1, three months after reporting the problem to Microsoft.
Google's Security Research arm practices responsible disclosure, meaning that newly-discovered vulnerabilities are communicated in private to the maintainers of the affected software. The maintainers are then given a chance to investigate the issue and publish a patch to resolve the problem before the flaw is communicated to the general public - helping to prevent 'zero-day' scenarios where a widespread vulnerability becomes public knowledge before protections against its exploitation can be put in place.
That practice hasn't prevented the company from publicising an as-yet unresolved security vulnerability in Microsoft's Windows 8.1 operating system, however. A post made to the company's security mailing list went public
late last month, 90 days after it had been privately disclosed to Microsoft - but ahead of the company releasing a patch for the flaw. Relating to the caching of application compatibility data, the vulnerability allows for arbitrary code to be executed under administrative user privileges - a serious concern - on both 32-bit and 64-bit versions of the operating system.
Microsoft has confirmed the vulnerability, but has not indicated why it has gone unpatched for three months since it was notified of the problem. 'We are working to release a security update to address an Elevation of Privilege issue,
' the company announced yesterday. 'It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
Responding to complaints about the automated publication of an unpatched vulnerability, a member of Google's Project Zero security team explained that 'on balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.
Details of the vulnerability and a proof-of-concept exploit can be found on the Google Security Research
group. No patch is yet available from Microsoft.