Google publicly disclosed a Windows 8.1 bug that allows administrator access to PCs. The disclosure highlight a vulnerability affecting millions of users.
This has left Microsoft outraged, especially considering that they were about to release a patch for it.
The news originated from Forshaw, one of Google’s researchers who found the bug and published it online. The bug is backed up by the Google’s POC (proof of concept) scheme, which was tested on an updated version of Windows 8.1. It’s not entirely clear whether earlier versions of Windows, such as Windows 7 operating systems, are also affected by the bug.
Microsoft went on to express their displeasure by stating that such bug reports shouldn’t be released until after a fix has been made available.
According to Microsoft, for such a bug to cause problems, the perpetrator trying to access the computer would need to know the password of the local machine. This is still a big enough risk to have over a network, as any hacker will use this simple fact as motivation to steal passwords and ultimately gain elevated user privileges.
An unpopular decision?
Google’s Project Zero carries out research and bug testing on various systems. Once they find a bug, their policy is to give 90 days for the vendor to fix the issue. The 90 days disclosure time had passed and Google went ahead and published their report a couple of days short of Microsoft releasing an update, on their patch Tuesday.
It leaves little to guess why Microsoft recently pulled their ANS (Advanced Notification Service) from the general public and made it only available to paid Premier support clients. This means that only paying customers would know of the security issues before their scheduled release on Patch Tuesday.
The vulnerability: Briefly explained
An internal function exists within the Windows 8.1 operating system, known as AhcVerifyAdminContext. Google’s proof of concept tested this using a couple of programs and some commands to bring up the calculator in Windows as an administrator.
Vulnerability Overview:
- The vulnerability in unpatched versions of Windows 8.1 has a function which consists of a token. The problem is that this token doesn’t correctly verify if the user logged onto the computer is an administrator.
- It checks the footprints from user’s impersonation token and matches these between the user’s SID and the system’s SID.
- What it doesn’t do is verify the token’s impersonation level against anything else.
- This leads to the vulnerability where an identity token can be added from a local process on the system, and as a result, skip the verification stage.
- This vulnerability only needs to be exploited by someone who knows that it’s available on an un-patched version of Windows 8.1.
- The hack could be something like an executable that creates a cache, and uses a registry entry on the computer to reload itself.
- All that would be required is to use an existing application on the computer to run and elevate these privileges.
The proof of concept Google used includes two program files and a set of instructions for executing it. This resulted in the Windows calculator running as an administrator. Forshaw states that the bug is not in UAC (user access control) itself, but that UAC is used as part of it to demo the bug.
Protecting Yourself and Your Business
We suggest keeping your anti-virus updated, along with Windows Security Updates to patch up known vulnerabilities on the computer. Depending on your office set-up, it is also a good idea to enable firewall on PCs too if not at least your network.
For more ways to secure your business data and systems, contact your local IT professionals.