After having outed a vulnerability in Windows a few weeks ago, Google is at it again. This time a Google security researcher detailed another vulnerability in in both Windows 8.1 and Windows 7. Similar to the exploit that Google previously detailed, this vulnerability could allow a user to impersonate another ID, allowing encryption and decryption of data he or she otherwise wouldn't have access to.
From the report:
"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section."
Similar to Google Security Research's previous report, this news comes before a patch has been issued by Microsoft to fix the exploit, something that drew the ire of the tech giant earlier this week. However, it is important to note that the details of these security exploits are subject to a 90 day disclosure deadline, and it appears (according to the logs) that Microsoft has been aware of the issue for quite some time, and a fix is expected in its February patches.