It seems that some Windows fans or so-called hackers have been be eager to discover or explore such "holes" for study or money. Whatever, as a preview build of operating system, you people had better install it on a VMware station, or you at least had better regularly backup your important stuff, or simply, you do not save any sensitive information in your disks.
Nearly three months after the group's creation, Google's €Project Zero€ team discovered an elevation of privilege flaw in Windows 8.1, and 90 days after disclosing it to Microsoft, the researchers have detailed the vulnerability online.
The flaw is in NtApphelpCacheControl, a function that is used for caching application compatibility information, and could be used to bypass user account control and allow a malicious application to act as an administrator, Sophos wrote in its security blog. The flaw can only be exploited if a device has already been compromised, however.
Although Google gave Microsoft 90 days to effectively patch the flaw, the Windows creator did not release a fix during that time period. Chris Boyd, malware intelligence analyst at Malwarebytes, said in a prepared comment to SCMagazine.com that the tech company might have needed more time to fix the issue.
€While 90 days may be long enough to fix flaws found in many pieces of software, we can't say for certain what Microsoft would have to do behind the scenes to address this issue,€ Boyd said. €It can't risk introducing more vulnerabilities or break key components by rushing a fix.€
Meanwhile, Google's page detailing the vulnerability filled with comments from users who said this flaw's exposure could impact billions and its release would ultimately harm Windows users, as opposed to helping push Microsoft to issue a patch.
For its part, a Microsoft spokesperson said the company is working to release a security update and reminds users to remain vigilant on security practices.
€It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,€ the spokesperson said in an email to SCMagazine.com. €We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer.€
Google didn't respond to a SCMagazine.com request for comment.
Microsoft's next Patch Tuesday is next week, on January 13.
Go to http://www.scmagazine.com/windows-8-elevation-of-privilege-flaw-detailed-online/article/390995/ for original content by Ashley Carman
The flaw is a elevation of privilege flaw (EoP) in NtApphelpCacheControl, a function used for caching application compatibility information.
For example, it can be used to bypass User Account Control (UAC), allowing a malicious application to promote itself to administrator even if it started off with the privilege of a regular user.
Fortunately this means you have to already have been compromised for this vulnerability to be of use. There are also mitigations that can be employed to reduce the risk from this flaw.
https://nakedsecurity.sophos.com/2015/01/03/zero-day-in-windows-8-1-disclosed-by-Google/
previous post