Google Makes Public More Windows Security Bugs
Google had first made a Windows 8.1 bug public on January 11, 2015 as part of its Project Zero.
Redmond giant made contemptuous criticism of the move made by the company. The search giant has made public a bug found in CryptProtect Memory memory-encrypting feature found in Windows 7 and 8.1 after its deadline of 90 days passed.
The project member James Forshaw made a post describing the bug on the Google Security Research page. According to him, the function CryptProtect Memory allows an application to encrypt memory for one of three scenarios; process, logon session and computer. However, due to the security bug attackers could impersonate a user and decrypt or encrypt data on Windows 7 and Windows 8.1 systems.
“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session id, so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” the Google Project Zero researchers said in a description of the flaw. He also posted that Microsoft planned for the fixing of the patches in January but had to pull it back cue to compatibility problems. It is now expected that the fix will occur in February.
Another bug reported include a potential attacker which is able to see information related to the system’s power settings. Both Microsoft and Google have acknowledged it’s not a critical issue and Microsoft will not roll out a fix for it.
The Project Zero is intended for compelling the software makers to improve upon the response time to software flaws and make the web and computers more secure for users. Google gives such software companies a lead time of 90 days before making the flaws public.
Microsoft had disapproved the move of the online search titan of revealing the Windows vulnerability before Microsoft could release a fix. Chris Betz, the chief of the Microsoft Security Response Center, through the blog post had said that the company asked Google to hold the revelation about the flaw for two more days as it needed a couple of more days to create a fix.
He criticized the Google’s decision to reveal the software issue by writing, “The decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”