Google unveils Windows 8.1 vulnerability, releases sample code

Google security researchers criticized for releasing vulnerability

Google security researchers were being criticized on Monday for releasing details of a Windows 8.1 vulnerability together with proof-of-concept code that can be used to exploit it.

"The bad guys don't need to be spoon-fed that stuff," said John Shier, security adviser at UK-based Sophos.

Google's Project Zero security research team first discovered the vulnerability in September, and reported it to Microsoft. It allows an application to run with administrator privileges when it shouldn't.

With that initial issue report, Google included a note of warning to Microsoft: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public."

Those 90 days elapsed, and the bug report did, in fact, become public.

"I appreciate what Google was trying to do," said Shier. "Give Microsoft ample amount of time to fix the vulnerability."

And the 90-day release warning was not unusual, he added.

"It helps vendors prioritize to fix it sooner rather than later," he said.

However, releasing sample code was like giving a present to hackers who maybe weren't as clever as Google engineers, he said.

"Here's a working proof of concept that they can weaponize right away," he said.

Some critics have said that Google was specifically picking on Microsoft, but Project Zero has released similar proof of concept code for other vulnerabilities from other companies as well, said Shier.

"I don't necessarily think it was a direct attack on Microsoft," he said.

Project Zero researcher Ben Hawkes said that the 90-day disclosure deadline policy has been in effect since the Project Zero team was first formed earlier in 2014.

"Security researchers have been using roughly the same disclosure principles for the past 13 years," he said in a statement.

"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security -- it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face."

Hawkes did not explain why proof of concept code was also released, however.

As of deadline, Microsoft has not responded to CSO Online's request for comment, but the company did issue a statement.

"We are working to release a security update," Microsoft said.

"It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

But according to Steve Hultquist, chief evangelist at Sunnyvale-based security firm RedSeal, Inc., this particular vulnerability could potentially have wider ramifications.

"Because systems are networked together," he said, "a vulnerability allowing the escalation of privilege can provide authorization allowing administrative activities across the network, depending on how the specific applications are designed, how the network is connected, and more."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)