Google Engineer Finds Critical Vulnerability in Windows 8.1, Makes It Public

[ahjolinna]

 

Attackers could get admin privileges on an unpatched system

  Windows 8.1 appears to be the only affected version right now

Microsoft usually releases security fixes for its software, including the Windows operating system, on Patch Tuesday, but this time the company might have to move a bit faster because of a vulnerability that has been made public by a Google security engineer.

A Google researcher named forshaw found a critical security flaw in Windows 8.1 that would allow an attacker to get administrator privileges on any system and at this point, there’s absolutely no workaround or patch available to address this issue.

forshaw has also posted a Proof of Concept (which you can read in full in the box after the jump) that demonstrates the vulnerability, pointing out that he’s not sure whether the same bug exists in Windows 7 or any other Windows version. Microsoft knew about this issueEven though some criticized forshaw for making this vulnerability public, it’s worth mentioning that Microsoft was contacted by the Google engineer soon after finding it in September 2014 as part of the Google Project Zero research program.

His post is dated September 30 and given the fact that Google Project Zero has a 90-day disclosure policy, the initial report went public, urging Microsoft to provide a patch for affected systems.

At this point, it’s not yet clear whether Microsoft is planning to wait until this month’s Patch Tuesday or release an out-of-band fix in the coming days. The January 2015 Patch Tuesday rollout takes place on January 13. Bug confirmed, fix on its wayIn a statement we received this morning Microsoft confirms the issue and says that it’s already working on a fix.

Even though there’s no workaround available at this point, the company says that Windows users should keep anti-virus protection turned on all the time and enable firewalls to make sure that no exploits are being used against their computers.

Here is the official statement provided by Microsoft and scroll down to read the whole advisory released by the Google security engineer.

“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”

Updated on January 2, 2015 to state that there's no patch available at the time of posting the article and all Windows 8.1 systems are vulnerable. There's still no indication if other Windows versions are affected.

source: http://news.softpedia.com/news/Google-Engineer-Finds-Critical-Vulnerability-in-Windows-8-1-Makes-It-Public-468730.shtml

[AlwaysFSX]

The quickest solution is to disable the method if possible and then proceed to find a way to fix it. Microsoft really needs to step up their game fixing problems than can compromise Windows like Apple does. I guess this is just a side effect of "I found something, better add more code to fix it. I found something in that code to fix it, better add more code to fix it" mentally Microsoft seems to have.

[noisebomb44]

why does it always have to come to someone making it public in order for "x company" to care?

[Master Disaster]

For those who like details here you go

Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.

This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.

It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.

It's unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.

The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I'd recommend running on 32 bit just to be sure. To verify perform the following steps:

1) Put the AppCompatCache.exe and Testdll.dll on disk

2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).

3) Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll".

4) If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse

without a broadly available patch, then the bug report will automatically

become visible to the public.

https://code.google.com/p/google-security-research/issues/detail?id=118

[AlwaysFSX]

why does it always have to come to someone making it public in order for "x company" to care?

Because x company doesn't care about you.

[noisebomb44]

Because x company doesn't care about you.

they always seem to care when the problem becomes big, thats how actually the world works, a problem must be big in order for something to happen, you cant just prevent problems from even happening in the first place, you must wait untill it becomes a life or death situation, or untill money is involved

[AlwaysFSX]

they always seem to care when the problem becomes big, thats how actually the world works, a problem must be big in order for something to happen, you cant just prevent problems from even happening in the first place, you must wait untill it becomes a life or death situation, or untill money is involved

The only reason they do this is because that see short term money gains, that don't care about long term. If they simply fixed things before people knew about it or shortly thereafter then this situation would never happen. It's sad a company has to be essentially extorted to fix their product.

[Master Disaster]

The only reason they do this is because that see short term money gains, that don't care about long term. If they simply fixed things before people knew about it or shortly thereafter then this situation would never happen. It's sad a company has to be essentially extorted to fix their product.

The bug was made public today, MS have already confirmed the fix is imminent. How much quicker do you want it?

[AlwaysFSX]

The bug was made public today, MS have already confirmed the fix is imminent. How much quicker do you want it?

When Google told them three months ago..

[noisebomb44]

The bug was made public today, MS have already confirmed the fix is imminent. How much quicker do you want it?

if they already knew about the problem long ago, they should already have fixed the problem long ago, i dont want to pay them 150 dollars for been lazy

[SpaceCore]

and google keeps making me happy.

[Master Disaster]

When Google told them three months ago..

You have no idea what they've been doing in the 90 days, they might have been fixing even more dangerous vulnerabilities. They met your criteria of fixing it shortly after it was made public and your still not happy.

[AlwaysFSX]

You have no idea what they've been doing in the 90 days, they might have been fixing even more dangerous vulnerabilities. They met your criteria of fixing it shortly after it was made public and your still not happy.

You misread, whether or not it's public there should be at least a temporary fix it asap. If it took them three months to get this out because there are more dangerous vulnerabilities then stop using Windows immediately because there's no hope for it.

[noisebomb44]

You have no idea what they've been doing in the 90 days, they might have been fixing even more dangerous vulnerabilities. They met your criteria of fixing it shortly after it was made public and your still not happy.

judging by their reputation of "last second fixers" and "cash grabbers" i dont really think they have been doing that much on windows 8.1 lately, i think they have been devoleping windows 10 so that i can pay them an extra 150 dollars, to keep their xbox train going

[dmegatool]

they would first need to have valid logon credentials and be able to log on locally to a targeted machine

 

It sucks but it's not as critical as everybody would think it is. I mean, it would imply that the hacker is sitting at your computer, knowing your outlook username and password... or your domain password. You're already screwed at this point. 

[GoodBytes]

I like these security issues discovered by rival companies. They always make a huge deal with scary text, but then you realize that you need the hacker, execute this complex things, where part of your security is already compromised, AND at the physical location.

I mean don't get me wrong, they SHOULD be fixed, but it's not critical as it is made to sound like.

I read that like 4-5 days ago in the news, and I was like ":sign:, wtv it's stupid, I am not going to report it"

[Altecice]

Ok so for this exploit to work you need to know the admins username + password.... Goodluck with that one. (not saying it couldn't be don't but its not as large of a vulnerability as its made out to be)

[dalekphalm]

Ok so for this exploit to work you need to know the admins username + password.... Goodluck with that one. (not saying it couldn't be don't but its not as large of a vulnerability as its made out to be)

It didn't specifically say you needed admin login credentials, just "valid" login credentials. It wasn't clear though. You might be able to use restricted login credentials, like would be common for staff logins as part of a large companies AD Domain.

[thatguyjerry]

It didn't specifically say you needed admin login credentials, just "valid" login credentials. It wasn't clear though. You might be able to use restricted login credentials, like would be common for staff logins as part of a large companies AD Domain.

exactly what I was thinking haha, sure no one's gonna be at my house on my computer or something ridiculous like that; however, for companies this could be a huge deal.

[shujin]

well microsoft derped again it happen but in my opinion nothing so shitty will happen they will find a fix quickly but yeah they're really really slow they ad already 3 mounth. Even if they tried fixing it during the second mounth and it did not work they should have put maximum effort to fix this before it'S known it's just doing bad marketing for them at this point 

[Altecice]

It didn't specifically say you needed admin login credentials, just "valid" login credentials. It wasn't clear though. You might be able to use restricted login credentials, like would be common for staff logins as part of a large companies AD Domain.

 

Yeah but to log into a valid user account thats part of a Domain, the computer you are on has to be part of the domain. There is 0 chance you are doing that from an outside source.

[LAwLz]

It didn't specifically say you needed admin login credentials, just "valid" login credentials. It wasn't clear though. You might be able to use restricted login credentials, like would be common for staff logins as part of a large companies AD Domain.

Yes that is exactly the case.

The bug here is that normal user accounts can have their processes elevated to admin privilege.

 

 

Yeah but to log into a valid user account thats part of a Domain, the computer you are on has to be part of the domain. There is 0 chance you are doing that from an outside source.

Trust me. Most of the work when designing a network for a company is protecting it from the employees. People on the network are about as trustworthy as people from the outside. Someone can bring in an infected laptop and all of a sudden you got an outsider on the inside.

Your average Joe don't have much to fear though, other than an infected normal user might be able to still cause more damage than it should on your system. But most people run as admin to begin with so yeah...

 

 

Just so everyone knows.

Microsoft was informed about this 3 months ago.

[NAP51DMustang]

When Google told them three months ago..

 

1) it takes time to fix

2) he should never have made it public

3) MS updates W8 like 1-2 a month.

[LAwLz]

1) it takes time to fix

2) he should never have made it public

3) MS updates W8 like 1-2 a month.

1) 90 days is a pretty long time.

 

2) Making it public is a good way to force companies to do good deeds. Without any pressure from Google Microsoft might just have ignored it. They did the same with Heartbleed. Contact the developers first. Give them time to develop a fix and then make the security hole public. What you have to remember is that the security hole being known by the public helps people like sysadmins to secure the equipment they are in charge of. Unknown secuirty issues can be a bigger threat than known ones because at least you can try to protect yourself.

 

3) They can update however many times they want. Even if they were limited to 2 updates a month that's still 6 occasions missed in 3 months.

[Sharp_3yE]

why does it always have to come to someone making it public in order for "x company" to care?

Well, in this case that's not really correct. Don't update your windows PC for a few months then after update it. You have a decently sized update which mostly consists of security patches. There are security patches all the time. Here is the thing. When there is a security issue it is a problem. When a security issue becomes public it's a BIG problem. That's when a lot of effort gets put into patching a security issue or really any issue.

 

The other thing is that the company as a whole doesn't really care about you personally but does care about customer support. So, they do care about things like security for their customers because they want their continued support. The problem is actually finding these security issues first.