Unpatched vulnerability in Windows 8.1 gets published

An unpatched vulnerability in Windows 8.1 has been disclosed on Google Security Research. The issue was subject to a 90-day automatic disclosure policy, meaning the existence of the vulnerability is published after 90 days without a broadly available patch for the issue. The issue allows for privilege elevation in ahcache.sys/NtApphelpCacheControl.

From the report:

This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.

So far this issue has only been found on Windows 8.1, and it is unknown if previous versions of Windows are vulnerable. While no patch is broadly available, at least one user reports that they are unable to replicate the bug in recent builds of Windows 10.

Source: Google Security Research

  • No comment
  • Windows 8.1 has callers?
  • Can surely smell google struggling and burning... ;) :P
  • Stupid comment.
    Google automatically published the vulnerability as per their usual policy.
    You should instead be asking WHY Microsoft didn't patch this in the 3 month time period.
  • Well it is the holidays after all guessing the team that deals with it is on vacation. At least it should only affect the pro/server versions of 8.1
  • Didn't know the holidays was for 3 months. I though it was one month and even then is not like they get one month out of work. Maybe 3-7 days at most.
  • Should actually ask why GOOGLE feels the need to auto publish vulnerabilities after a fixed time window. They're doing nothing but screwing over end users with this practice.
  • Sorry, I know this is a Windows website, but your logic is warped.
    Google discovered the vulnerability, & informed Microsoft 90 DAYS ago! Google auto publishes such things after 90 days have passed....
    Microsoft had ample time to fix the problem.
    Good on Google for pressuring MS to get their OS sorted.
  • There is no information that says they reported it to Microsoft.  Just reported it to their own internal bug site.
  • You have no idea how simple or complex this vulnerability could be. Also you do not know if Microsoft is going to release a patch for this on patch Tuesday. Also they have to prioritize issues as even they have limited resources.
  • "Even they have limited resources"?!
    Say what?!
    Your argument fell down right there.
  • To make people aware of this issue and take their own precautions. Not everyone is clueless end user like you. There are a lot of enterprise users and administrators who NEED to know about this.
  • Yep, always a good idea to alert hackers to previously unknown Windows vulnerabilities..... /s
  • You miss the point.
    You are criticising Google when Microsoft have known about this vulnerability for 90 days...
    Google are not at fault here (and it pains me to say that given how much I loathe Google!)
  • So because Microsoft couldn't work out a solution in 90 days it's okay to release this information so that hackers can enjoy themselves? Instead of releasing the whole procedure on how to do it. They could have just given a simple outline to the problem.
  • MS at fault when they failed to fix this right away but google too have fault here. If I tell you I can broke your front door easy it doesn't mean that after 3 months I can publish it openly wheter you had it fixed or not.
  • I thought it was common practice for companies to share information if they find vulnerability. Google just was following protocol. Microsoft just hasn't worked out a fix yet. I think alot of ppl are just blowing out of proportion
  • No, I don't think you get the point. Microsoft has to prioritize what it needs to fix, and while ignorance of a security hole isn't a fix, companies often have to rely on people not knowing about issues because they simply don't have the time to fix an issue that's not a breaker bug. Google isn't helping anyone get their OS together, they're exposing users to risk which is not cool. Saying "well they had 90 days" means nothing. It takes time to assess the bug, identify the cause, asses how critical it is, apply the fix, and then do regression testing on a massive scale. If an exploit isn't out in the wild and isn't something that can widely affect users, chances are it won't jump to the top because I can promise you there are many more security holes out there to fix (and not just in Windows either). MS should fix this bug, I agree, but Google blindly pushing exploits out to the public after 90 days is irresponsible.
  • Your assumption relies on the fact that no one knows about this. Are you aware that there are underground markets where people trade zero-day exploits for big sums of money? It's actually worth more for hackers if a bug isn't known by anyone, not the opposite.
  • Show me where Microsoft was notified of this scroogle fanboy/
  • 'Scroogle Fanboy'...
    Do you realise how ridiculous you sound when you say that?
  • So, let's make it public and let hackers do their dirty job. I bet MS must have other critical vulnerabilities to answer. MS will eventually patch it but this is totally a dick move.
  • Indeed. Google are clearly 'aiding and abetting criminals' here and prosecution is now due. Of course, because they are wealthy different application of law kicks in. If I sent an email to Anonymous with such info in I'd be done. Not so for the nobs. One law for them, another law for us plebs.
  • This isn't the first time the scroogle has pulled this crap.  Thie is SOP for them to find vulnerabilities and then disclose them without working with Microsoft.
  • What a crock of sh*t. Are Google supposed to fix this for Microsoft?! NO!
    Google alerted Microsoft....MS then had 90 days to sort out a fix.
    They didn't...and that is why we have heard about it.
  • And disclosing this does what exactly? Make Microsoft look bad?
  • Whether an exploit is fixed or not, why would any company expose it to the public? Oh, it wad Google, I get it!
  • Remember that DDOS attack that took down Xbox Live and PSN? It was more than likely achieved using millions of compromised machines around the world.
    Plugging security holes and generally incentivising the building of properly secure OS's will help reduce the impact of similar DDOS attacks.
    What Google is doing is essentially sticking a guillotine over Microsoft's neck. When the countdown passes 90 days, MS knows they'll receive some bad press.
    I don't often commend Google for the way they operate - but I like what they did here. It is helping to make us all safer.
  • You don't work with programming do you...? Sometimes fixing a bug take long... There was a UNIX-bug that took 23 years to fix... Having a policy that automatically puts users at risk after a certain time is highly unethical and should be illegal.
  • We heard it. Great. Now how this is going to fix the bug or help end users to be more secure is beyond my reasoning.
  • Actually no where in this (or any other article I've read today about this) does it indicate Google told anyone beyond themselves via their internal reporting channel, so it is debateable in this case as to what game Google is pulling with this.
  • LoL, so 90 days are enough to patch a hole. Sure it is but it's not when you have other prioritized patches to be done.
    Since when Google cared about Windows ?? This vulnerability is not that much critical, MS would surely take time to patch it but making it public will help anyone to exploit this minor critical vulnerability, too. It's users who're gonna be affected.
  • And in the meantime every report on os security states Android/Google is the least secure os. Maybe Google are too busy publishing hacks to other OS's to fix their own OS.
  • Google needs to fix their OS first. http://code.google.com/p/android/issues/list
  • They shouldnt have published it... Could have just outlined it and told it to microsoft... Again, i would say, they are struggling in pc area and doing this stuff...
  • That makes alot of sense. Let's publish a hack that lets an application have admin privileges! Then all of the world's virus creators can have a field day!
  • Microsoft had 90 days to fix it.
    Auto publishing these vulnerabilities after 90 days is a good thing. It kicks Microsoft into doing the right thing.
  • Precisely.
  • Perhaps it's not so easy to isolate the problem, correct it, make sure nothing else breaks (massive amounts of testing) and then deploy it worldwide while squeezing it under some arbitrary deadline? Maybe?
  • An arbitrary deadline imposed by a company that does not own yours.
  • Yeha I'm not sure you get how software companies work. There's a lot that goes into writing a patch, and this likely isn't the only one. You don't know how much time is plenty of time to fix anything, so Google should be forced to stop this practice as it truly does put people at risk, in some cases serious risk.
  • Shoe me where Microsoft was notified?  Every article I have read says it doesn't appear Microsoft was notified by the DBAG that found the vulnerability.
  • I hope you don't work for my bank. Next thing I know, you are telling the world how to break in. Saying, well the bank had 90 days to secure the vault.
  • No it is not... 90 days is nothing when you're working a complex product like windows or any other OS.
  • Regarding a vulnerability, Microsoft has to know the source of the bug first, try to come up with a fix, test whether all the other parts of the OS is working fine, try to apply patch if any other thing breaks, do a end to end testing to check whether the fix affects desktops, laptops and any other freaking form factor, do another patch up I anything mess up, not to mention if there are any design change that is reuires, start all the afore mentioned things all over again and push an update to all the users of the operating system. And your point is that Microsoft has 90 days!!!???
  • I found a security bug in Android, it is my personal policy for Google to fix and release that bug within 10 minutes of me saying I found the bug. It is a good thing, it kicks Google into doing the right thing. 90 days is too long for Google to find and fix it because someone else could find that bug and exploit it without telling Google about the bug. 10 minutes should be long enough, they have unlimited resources and we want to do what is right for the user, right?
  • Lol is it 1997 again?
  • How is Spartan? Giving farewell to explorer I guess..
  • Google can suck a big one. They should spend less time looking for vulnerabilities and more making official apps for Microsoft. Losers...
  • Without Google, we wouldn't even know there was such a security vulnerability.
    In fact, it may never have got patched at all.
    You can bet it will be now though.
  • Most likely neither would the hackers, but they know now.....
  • Microsoft should have fixed the security hole within the 90 days then...
    Not Google's problem.
  • Ok. Stop answering on each post with praises to google. We get it, thanks to google we'll live to see a patch for this.
  • Show me where Microsoft was notified.
  • And Android/Google has the least secure OS according to all expert reports.
  • Why is it that Google always takes this nice responsibility of finding issues with Microsoft products. Do they run Microsoft product quality department?
  • It cannot be used remotely without prior local execution on the machine so I don't consider this a real problem
  • Being mad at Google for publishing this is literally shooting the messenger.
  • Amen
  • Being mad at Google for releasing the entire procedure on how to exploit it instead of just a general outline is justified.
  • We tend to shoot messengers who are carrying info to our enemies.
  • Ok first, you should look up the word literally, second, you're incorrect. If they wanted to act as a messenger, they should contact Microsoft and then that's it. There's no good reason to publish a flaw in a system until after it's been fixed. This can literally put peoples lives at risk, it's no different than publishing an exploit that allows someone to disable a key feature in your car remotely.
  • I used "literally" sarcastically just as you did saying it puts people's lives at risk. Secondly, they did act as messenger when they contacted MS, 90 days ago. The article states it seems to be fixed in Win10 but that's not a "broadly available" fix.
  • So tip of the day for you, sarcasm doesn't work well in printed type.   That being said, my use of the word literally, was in fact, literal. A machine running Windows 8.1 that runs something pretty important, like medical software, can have malware installed on it while ignoring admin rights. I don't even have enough time to list what dangers that can present to anyone in the hospital with the infected machines.
  • I'm in health IT, I know about the dangers. You have to get hospitals onto Windows 8.1 and off of XP and Win7 first, but that's besides the point. Those computers are not in charge of the sensitive machinery needed to keep people alive so no, it's not a matter of life and death. Hospitals, banking and others have security protocols (which include 2 factor) in place that don't allow people to gain valid local user names that also have admin rights, which is what you need to use this exploit. If a hacker wants access, this literally won't be the way it's done.
  • I work for one of the largest HCIS companies in the world and I can tell you its not just the hospital that needs to have this exploit, exploited, though that would make it easier. There is also more than the equipment that keep people alive that are at risk. Someone with a little know how, can really mess with peoples records, such as removing allergies. I dont think you fully do understand how this could actually effect people, given enough time to develop something that would cause the harm. That being said, while its unlikely that this would happen because there isn't much gain to be had from it. Just releasing the existence of the exploit increases the likelihood of someone doing it. So Google isn't just acting as a messenger. They were just a messenger when they told MS about the exploit and for that, they get points, but releasing the info the public just makes them dbags.
  • You're right, they'll hack the XP boxes instead since it is the most vulnerable OS and as you said in wide spread use in hospitals and banks.
  • Yeah I chose not to comment on that part of his argument. I see first hand how many servers have what versions of windows, and it's not really common to see XP. At least in the hundreds of servers I accessed through out the last 2 years. Even some of the ones I did see have been replaced by a version of windows server.
  • That's was a part of the side point, for this vulnerability to be "literally" life and death, you'd first have to upgrade hospitals and banks past XP. Thanks for helping.
  • Being mad at Google is like being mad at somebody for screwing over people for no reason.
  • and how do all you idiots sticking up for googles dumb ass move know that ms didnt already know about this expliot and maybe have been working on it or its already on a list to be repaired at some point. either way you look at this it was a DUMB ASS MOIVE BY GOOGLE.
  • Microsoft should have patched or published a workaround by now. Google ought to publish it KNOWS of a vulnerability but not publish enough to get the crackers started.
  • Thanks Google for pimping my ride
  • Happy new year everyone!
  • What Google did on the surface looks irresponsible, but forcing a company to fix a security problem for which they knew over three months I believe will only help to get this exploit fixed. One reason for which I like open source software is the fact that security issues are openly discussed and worked upon to develop a good fix.
  • And yet android is still the most least secure mobile os....
  • Show me where Microsoft was notified.
  • If you look at the original post, there's a MS bug ticket number attached. That's means MS was notified.
  • ​You don't force them by throwing it out in the open. It isn't lsomething like this is an open source program. Google should respect users.
  • Google can do this by not releasing a nice to do list on how to do it, like i said dumb ass move AGAIN by google.
  • All currently open issues on Google Security Research include 4 OS X and 1 Windows security issue. I guess that means Google owned operating systems are free of any security flaws?? What a joke!!
  • Or they fix their exploits within 90 days...
  • And yet every report states Android/Google is the least secure os.
  • Just because they patch exploits within 90 days doesn't mean it's less secure, it just means they're quick to patch.
  • ​It's more likely that they just donlt report in themselves.
  • Happy new year indians...
  • What's 8.1?
  • 10 minus 1.9
  • Let me tell you something....i hate Google ok? But we have problem s on both sides(Google, Microsoft)
    1-it isn't good at all that you yell the security problems!!!! From now on every little or old one try to breach the Windows that everyone are using!!!!
    2-you want kill Microsoft ?tell them, give them 3 or more chances, if they didn't listen then try yell in to your website we found a security bug , don't need tell every one what is the problem and mention every little details!!!!
    3-you left us in the dust!!;; no app is officially available on Windows platform then you care about us on PC in Christmas time that everyone are try to celebrate and no one create a patch for us??? We know this is a game.... You want to give the hackers chances to hack us in Christmas time then yelling again!!!!!! Try go and fix your hangroid problems.... Every little child can breach to it!;!!!!!!
    1-I'm in love with you but where is your concentration??? You are acting like chickens without roaster;!!!!
    2-we vote on voice website you listen ed before but where is your attention now??
    3- Try convince officials developers we need official apps without beta!!!!
    3-you are trying fully support IOS and Android,I chose Windows cause Android has low security and hang problems. IOS is creating tower defense system that can communicate just with towers and everyone is dying.... No Bluetooth or........!!!!!! Try to believe yourself
    4-release your services like here for every country and every Windows phone devices for free!!!;;
    5-app gap? Android apps???? No way!!!; then every one breach your OS like Android!!!!! Try to build a service that everyone can port their app into OS this is a good way!!!!!
    5-nfc apps??///???? Settings toggles just work with human tap!!!!!!I know security issues!!!;;; try to create a digital certifications for apps and developers then let them change settings security with apps or at least with Cortana!!!!!!; want more? Contact me!I give you a proposal!!!;!
  • Microsoft should publish the ten thousand vulnerabilities of Android.
  • This^^^^
  • and give Google 90 days to act lol
  • You win! :)
  • For a dumb end user like me what does this mean? Should I uninstall all my 3rd party modern apps, or desktop apps...or both?
  • No, I think it has nothing to do with apps.
  • This would only affect Desktop apps, but neither, you should be fine.
  • No need to uninstall anything. The malicious user would need a local login with admin access local resources.
  • Knowing how much Google loves Windows, I can imagine how happy they are when they counted from 90 to 0.
  • I don't understand anything
  • If you don't understand anything then you understand everything. IDK
  • Unless I'm mistaken, isn't this a vulnerability that was talked about in Google's own security division? From what I'm reading, it sounds like Google knew about the vulnerability and automatically published it after 90 days because it has not yet been patched out. However, it doesn't say anything about whether they informed Microsoft first then gave them 90 days too fix it. I feel like we are all assuming that Google contacted MS in the first place about the vulnerability.
  • what is with google's vendetta against microsoft ? .. if it wasnt for windows google wouldn't have even existed
  • I find it highly amusing that Google is more concerned about MS than its own brand New OS, which it's still giving users plenty to talk about. Two patches later and still not up to par, but ofcourse that shouldn't boder them too much, is par for the course. Users are being forced to reset daily due to the bug, fix has been formulated and should be delivered with Android 5.0.3 patch
  • E X A C T L Y ;)
  • Hope this gets fixed pronto.
  • Screw you guys, I'm going home
  • Just Google propaganda. Ignore them. :)
  • Ok little bit of calm here, as the vulnerability is not present in windows 10 I'd guess that work for that area of the os is already in progress merging in the changes into a current project is always a problem and increases qa work significantly. Just saying as for the release of the info by google it could be argued either way on food or bad or motive.
  • So i read there terms of service and policy regards this. It doesn't say it will disclosure the bug/exploit to the owner/ corporation. So MS probably didnt know themselves, google internal knew. The information wasn't pass on.
  • Android is the less secure Mobile OS and Chrome the less secure browser. In top of that google use all our private info for ads and analyses. They should focus more on fixing their own issues and change their business strategy and motivation
  • I'm not quite getting all this hate against Google.  Generally it's acceptable to point and laugh after someone fails to rectify an issue.  So why are we condeming Google for pointing out an issue, waiting, and then pointing and laughing?  Even MS is capable of making an oops.  
  • This requires several things. First, it requires valid login credentials. Second, it requires that the login be local on the targeted machine. And here's the thing: Any time an attacker has local access to your machine, it ain't your machine anymore anyways. I get what Google's policy is here, but I really disagree with them not only releasing info about the vulnerabiliy but also the code needed to exploit it. Bad form, Google. Bad form.