A flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges has been described by Google’s Project Zero security team.
The vulnerability was apparently reported to Microsoft privately on September 30 but was made public 90 days later because the bug has still not been fixed, presumably in the hope that it would pressure Microsoft into releasing an update.
However this approach has divided opinion within the security community, with many arguing that the publication of a still unpatched flaw could expose Windows 8.1 users to unnecessary risk. Security expert Graham Clulely said Google had effectively published a ‘proof of concept’ that could be used to malicious hackers to launch attacks on affected systems.
“If you want to apply pressure on a software vendor who you believe is taking too long to fix a security flaw, don’t release blueprints of how to exploit the vulnerability onto the internet. Instead, go to any technical journalist who works on the security beat. They’ll be happy to have the flaw demonstrated to them, and then responsibly report that the bug still hasn’t been fixed.”
It has been suggested that Microsoft may have taken its time releasing an update because of complications with a number of recent patches that have introduced new bugs into Windows. The MS14-045 patch made available in August caused the dreaded Blue Screen of Death to appear for many users, while ‘unspecified user issues’ caused a fix for Windows 7 and Windows Server 2008 to be pulled in October.
“While 90 days may be long enough to fix flaws found in many pieces of software, we can’t say for certain what Microsoft would have to do behind the scenes to address this issue,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “It can’t risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.
“It’s too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn’t cause more security holes further down the line.”
How well do you know the history of Windows? Take our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Hardly a risk to most companies, if the attacker (user in this case) has valid logon credentials and physical access to the machine - then they can do a lot worse anyway! Storm in a tea cup by Google and reflects badly on them!