Google’s recent publication of Windows’ vulnerabilities — two within a week — predictably raised Microsoft’s ire.
“Risk is significantly increased by publically announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue,” wrote Chris Betz, Microsoft’s senior director of trustworthy computing, following the latest revelation earlier this month.
Google revealed the information two days before Microsoft released a fix “on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so,” he said, adding that the move “feels less like principles and more like a ‘gotcha!'” and warned that customers may suffer.
“We urge Google to make protection of customers our collective primary goal,” Beltz continued.
Google’s security team typically set a clock after informing a company of a flaw, allowing what it considers to be a reasonable period of time to fix it before spilling the beans.
“I think, particularly if a vendor has responded and requested more time, there should be exceptions made to [Google’s] policies, said Ken Westin, senior security analyst at Tripwire.
The Latest Flaw
The latest exposed Windows 8.1 flaw, elevation of privilege in the User Profile Service, was reported to Microsoft last October.
It was discovered by James Forshaw, of Google Project Zero, who earlierouted another Windows 8.1 flaw, elevation of privilege in NtApphelpCacheControl.
When a user logs into a PC, the User Profile Service is used to create certain directors and mount the user hives.
There seemed to be a bug in the way the service handled impersonation — the first few resources in the profile were created under the user’s token, but that changed to impersonating Local System part of the way through, Forshaw found.
Any resources created while impersonating Local System might be exploitable to elevate privilege.
That occurred every time users logged into their accounts, Forshaw said.
Forshaw identified several issues but “probably the most serious” was the handling of the %USERPROFILEAppDataLocalMicrosoftWindowsUsrClass.dat registry hive. The profile service queried for the location of AppDataLocal from the user’s registry hive, then tried to create the Windows folder and UsrClass.dat file.
By creating a new folder structure, changing the user’s shell folders registry key and placing a junction in the hierarchy, hackers could get this process to open any other UsrClass.dat file on the system if it weren’t already loaded, Forshaw warned.
Hackers could even set the root key security, which might be useful for privilege escalation.
The most serious UsrClass.dat issue existed in Windows 7, although Windows 8.1 implementation of the services “does a lot more things,” Forshaw noted.
Forshaw rated the severity of the flaw as medium.
Microsoft patched it last week, as planned, along with the flaw allowing elevation of privilege in NtApphelpCacheControl and several other vulnerabilities.
We All Love the User
So why did Google feel the need to jump the gun and expose users to risk?
When vulnerabilities are left unpatched by vendors, Google is compelled to take action, the company has argued. Some users, who recall the days when patches were issued at the vendor’s leisure, may agree.
In fact, at one point, Google security engineers proposed reducing their typical 90-day window for vendors to issue a patch to 60 days.
“If a vendor failed to respond to the disclosure, or simply ignored it, I could see the value in having a 60-day time limit,” Tripwire’s Westin remarked. “However, sometimes it takes more time for a vendor to patch a vulnerability if it is particularly complex.”
Disclosure of threats endangers the user, according to Microsoft.
So which company has the high ground?
Both are guilty of hypocrisy, argued Paul Ducklin in a post on Sophos’ Naked Security blog.
Google doesn’t adhere to the 90-day patch window for its own Android ecosystem, he pointed out. While security patches may be released for Android, users may not be able to deploy them “for weeks, months, years, perhaps even never,” because handset vendors dictate when patches are pushed out.
Microsoft’s statement that it was about to release a patch “rings hollow” in light of the earlier announcement by Microsoft’s Betz that its advance notification service would be offered only to premium users, wrote Ducklin.
So, “Microsoft, bring back those Advance Notifications, and prove that you care about keeping people informed!” he admonished, and “Google, drop the boarding school rules-and-regulations attitude and allow a touch of humanity into your bug-handling process!”
Perhaps another thing to consider would be revising some troublesome approaches to security to prevent the sort of problems that lead to these tug-of-war scenarios.
“Vulnerability in endpoint software is a chronic problem,” Spikes Security CMO Franklyn Jones told TechNewsWorld. “These vulnerabilities create ever-increasing opportunities for targeted attacks via browser-borne malware.”
The best solution, he suggested, is to render Web content outside the network, isolated from the endpoint.