The Channel logo


By | Darren Pauli 16th January 2015 05:02

GRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAY

Redmond ran out of time to patch Windows flaw

Google has once again decided Microsoft's moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week.

The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently.

Google's Project Zero dropped the bug in line with its 90-day fix-it-or-else disclosure policy which this week ruffled its foe's feathers after a serious flaw was revealed two days before Redmond issued a fix.

Microsoft asked for the disclosure of that particular bug be held back slightly until it could be dealt with on Patch Tuesday, to reduce impact on customers.

Microsoft senior director Chris Betz said Google's actions are not useful, as they have the potential to hurt Windows users.

The Choc Factory for its part was sticking fast.

Google appears to be flinging fudge at all netizens that don't take patching seriously: coupled with its tight 90-day dump rule, the software giant also refused to fix a serious WebView flaw in its own Android platform for the old but hugely popular version 4.3.

It is estimated that close to a one billion users - 60 percent of the Android customer base - would be impacted unless they updated their phones and tablets. That feat's not simple, as device manufacturers and telcos need to get in on the act and push out Google's latest updates.

One alternative is for users to install supported modified operating systems such as Cyanogenmod that, while stable, may require a process too alien and fiddly for the non-technical masses.

Google said it was difficult to fix the WebView hole due to its integration into the core system as opposed to it running in Google Play services for later Android platforms.

The newly-disclosed Windows vulnerability affected the function CryptProtectMemory which together with an encryption key could allow memory sharing and logon session ID extraction between processes.

The flaw was in the CNG.sys implementation, which failed to run proper token checks meaning logon session IDs a normal user could decrypt or encrypt data for that logon session.

"This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section," the Google report says.

"This behaviour of course might be design, however not having been party to the design it's hard to tell." ®

comment icon Read 70 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe