A new vulnerability of Windows 7 and 8.1 was revealed by Google, leaving Microsoft operating systems exposed until next month, which the company plans to release a patch.
Η Google started in July of 2014 Project Zero group which chases zero-day on various platforms. Since then, they have exposed several Windows vulnerabilities. In the context of 90's policy of publicizing XNUMX days with the Project Zero team, Microsoft has been uncovered at least twice to date.
Basically, Google gives companies three months to resolve the security issues they discovered before disclosing them. To date, Google security bugs have revealed multiple security vulnerabilities in Windows.
The flaw disclosed today affects a Windows feature called “CryptProtectMemory” and allows applications to encrypt memory for running processes, during a connections.
When connected, the encryption key is issued based on the session ID and can be used to exchange data between processes by allowing the session ID to be derived from the symbolic impersonation, James Forshaw in the publication that reveals vulnerability.
"The point is that the application CNG.sys does not check the impersonation level of the token when getting a session ID (using SeQueryAuthenticationIdToken). So a simple user can impersonate the authentication layer and decrypt or encrypt the data for that session” says the researcher.
Forshaw also released one evidence of vulnerability (PoC) which proves that disclosure of information is possible by exploiting the flaw.
The problem was reported to Microsoft on 17 October of 2014. The company then confirmed the vulnerability in October 29 when developers managed to replicate it.
It is important to note that vulnerability had a specified disclosure date for January 15.
However, the company announced to Google that it would not be able to deliver a patch in January, because a compatibility problem arose. So the update that fixes the security flaw will be released next month.