A new vulnerability of Windows 7 and 8.1 was revealed by Google, leaving Microsoft operating systems exposed until next month, which the company plans to release a patch.
Η Google started in July of 2014 Project Zero group which hunts zero-day in various platforms. Since then they have exposed several Windows vulnerabilities. Under the Project Zero team's 90-day disclosure policy, Microsoft has been caught at least twice to date.
Basically, Google gives companies three months to resolve the security issues they discovered before disclosing them. To date, Google security bugs have revealed multiple security vulnerabilities in Windows.
The flaw disclosed today affects a Windows feature called “CryptProtectMemory” and allows applications to encrypt memory for running processes, while duration of a connection.
At login, the encryption key issued based on the session ID and can be used to data exchange μεταξύ των διεργασιών, επιτρέποντας την export of the session ID from token impersonation, reports James Forshaw in the publication that reveals vulnerability.
The issue is that CNG.sys does not check the token impersonation level when receiving a login ID (using SeQueryAuthenticationIdToken). This way an ordinary user can mimic the level of authentication and decrypt or encrypt the data for that login session. ” says the researcher.
Forshaw also released a proof of PoC, which proves that disclosure of information is possible by exploiting the defect.
The problem was reported to Microsoft on 17 October of 2014. The company then confirmed the vulnerability in October 29 when developers managed to replicate it.
It is important to note that vulnerability had a specified disclosure date for January 15.
However, the company announced to Google that it would not be able to deliver a patch in January, because a compatibility problem arose. So the update that fixes the security flaw will be released next month.