Earlier Google’s project Zero team had reported vulnerabilities over the spectre & meltdown bugs on windows 10. Microsoft had issued an update which fixed the critical security flaws present in the windows OS. Recently Google’s project zero team security researchers have disclosed another windows 10 high severity security flaw.
Project Zero is the name of a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. On successfully finding a new flaw or vulnerability, Google has policy to disclose it after 90 days which often gets criticized. Within this period of nearly 3 months, the companies get time to fix the issues before its public disclosure. And seems that once again Microsoft has failed to patch the security flaw before the 90-day disclose period timeline imposed by Google. This new security flaw of windows 10 allows a normal user to gain administrative privileges. It’s still unclear when Microsoft will initiate a windows update addressing the fix for the issue.
The similar security flaw was dubbed into windows 10 version 1447. And This newly addressed windows security flaw was tested definitively on Windows 10 version 1709. Google’s team zero security researcher have also attached a proof-of-concept code in C++ which creates a text file in the Windows folder, and abuses the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor for allowing the access to everyone. Currently this flaw has been marked as ‘important’, but surprisingly not ‘critical’. Any hacker or malicious user could gain administrative access by combining it with a separate unknown remote code execution. As per the latest reports, this latest windows privilege escalation flaw is not exploitable remotely or in browsers that run in a sandbox, and that’s why Microsoft hasn’t marked it as ‘critical’.
The security researcher from Google’s project Zero team who discovered this new microsoft windows security vulnerability first, said –
Some additional notes about this issue. Firstly based on the fix for issue 1427 this only affects Windows 10, it does not affect any earlier versions of Windows such as 7 or 8.1. However I’ve not verified that to be the case but there’s no reason to believe it’s incorrect. MS consider this to be an ‘Important’ issue, but crucially not a ‘Critical’ issue. This is because this issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However in order to execute the exploit you’d have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it’s easy to exploit, but it doesn’t take into account the prerequisites to exploiting the issue in the first place.
Microsoft has a history of disagreements over Google’s approach to vulnerability public disclosures as these could be exploited unless it’s fixed, but It’s quite like Google is making its rival software companies more secure by addressing and finding security flaws and vulnerabilities aggressively. When reached to Microsoft regarding this new windows 10 security flaw, as per them a windows update will be rolled out soon with the fix.