A flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges has been described by Google’s Project Zero security team.
The vulnerability was apparently reported to Microsoft privately on September 30 but was made public 90 days later because the bug has still not been fixed, presumably in the hope that it would pressure Microsoft into releasing an update.
However this approach has divided opinion within the security community, with many arguing that the publication of a still unpatched flaw could expose Windows 8.1 users to unnecessary risk. Security expert Graham Clulely said Google had effectively published a ‘proof of concept’ that could be used to malicious hackers to launch attacks on affected systems.
“If you want to apply pressure on a software vendor who you believe is taking too long to fix a security flaw, don’t release blueprints of how to exploit the vulnerability onto the internet. Instead, go to any technical journalist who works on the security beat. They’ll be happy to have the flaw demonstrated to them, and then responsibly report that the bug still hasn’t been fixed.”
It has been suggested that Microsoft may have taken its time releasing an update because of complications with a number of recent patches that have introduced new bugs into Windows. The MS14-045 patch made available in August caused the dreaded Blue Screen of Death to appear for many users, while ‘unspecified user issues’ caused a fix for Windows 7 and Windows Server 2008 to be pulled in October.
“While 90 days may be long enough to fix flaws found in many pieces of software, we can’t say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “It can’t risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.
“It’s too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn’t cause more security holes further down the line.”
How well do you know the history of Windows? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Hardly a risk to most companies, if the attacker (user in this case) has valid logon credentials and physical access to the machine - then they can do a lot worse anyway! Storm in a tea cup by Google and reflects badly on them!