Once again, Google has publicly disclosed unpatched Windows vulnerabilities. One vulnerability will be patched by Microsoft in its upcoming February Patch Tuesday security bulletin release, while Google and Microsoft agreed that the second flaw is not enough of a security issue to warrant a patch. Google’s Project Zero’s policy is to automatically disclose flaws 90 days after they have been reported to the vendors.
The disclosure of these two bugs will likely heighten tensions between the two tech giants. Google’s disclosure late last month of a privilege-escalation vulnerability in Windows revived acrimony between the two companies on the subject of disclosure, and also sparked debate between security enthusiasts.
Microsoft released a statement promoting its philosophy of coordinated vulnerability disclosure, and also said it had asked Google, to no avail, to withhold its disclosure of that vulnerability until the January security bulletins, released on Tuesday.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” wrote Microsoft’s Chris Betz on a company blog. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
More Critical
The more critical of the two Windows bugs is an impersonation check bypass with the CryptProtectMemory function. According to Google’s Project Zero team, the function’s implementation in CNG.sys doesn’t check the impersonation level of the token when capturing a login session ID.
“A normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” wrote Google’s James Forshaw In a disclosure advisory. “This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.”
Google reported the vulnerability to Microsoft in October. On Monday, Microsoft confirmed that it had reproduced the issue and the security feature bypass. The company said on Thursday said it had planned to release a patch for the vulnerability on January’s Patch Tuesday, but compatibility issues forced it reschedule to February.
Not as Critical
The second issue is an admin check bypass in the NtPowerInformation system call, which is executed prior to performing specific power functions.
This check can be bypassed in Windows 7 because neither the SeTokenIsAdmin function nor the rest of the code takes into account the impersonation level of the token,” according to Google’s Forshaw,
“Therefore you can impersonate an administrator’s token as a normal user (through linked token or kidnapping a system token) and call the protected functions. On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it’s not vulnerable,” Forshaw said.
According to Google, Microsoft told its researchers that the issue was reproduced on Windows 7 and that it wasn’t critical enough to be classified as bulletin servicing since the bug allows only limited information disclosure about power settings.
