A new vulnerability of Windows 7 and 8.1 was revealed by Google, leaving Microsoft operating systems exposed until next month, which the company plans to release a patch.
Η Google started in July of 2014 Project Zero group which chases zero-day on various platforms. Since then, they have exposed several Windows vulnerabilities. In the context of 90's policy of publicizing XNUMX days with the Project Zero team, Microsoft has been uncovered at least twice to date.
Basically, Google gives companies three months to resolve the security issues they discovered before disclosing them. To date, Google security bugs have revealed multiple security vulnerabilities in Windows.
The flaw revealed today affects a Windows feature called "CryptProtectMemory" that allows applications to encrypt memory for processes running during a connection.
When connected, the encryption key is issued based on the session ID and can be used to exchange data between processes by allowing the session ID to be derived from the symbolic impersonation, James Forshaw in the publication that reveals vulnerability.
The issue is that CNG.sys does not check the token impersonation level when receiving a login ID (using SeQueryAuthenticationIdToken). This way an ordinary user can mimic the level of authentication and decrypt or encrypt the data for that login session. ” says the researcher.
Forshaw also released a proof of PoC, which proves that disclosure of information is possible by exploiting the defect.
The problem was reported to Microsoft on 17 October of 2014. The company then confirmed the vulnerability in October 29 when developers managed to replicate it.
It is important to note that vulnerability had a specified disclosure date for January 15.
However, the company announced to Google that it would not be able to deliver a patch in January, because a compatibility problem arose. So the update that fixes the security flaw will be released next month.