Microsoft fumes, Google discloses another Windows security flaw

Google has discovered a bug in the CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1, and made its disclosure public after its Project Zero deadline of 90 days passed.

The bug was found by James Forshaw, who also discovered a privilege elevation flaw in Windows 8.1, the disclosure of which drew the ire of Redmond earlier this week.

Forshaw described his new issue as an impersonation check bypass that could be an issue if a service is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.

"When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag), the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another, it supports extracting the logon session ID from the impersonation token," Forshaw said.

"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session.

"This behaviour of course might be design; however, not having been party to the design, it's hard to tell."

The bug was discovered on October 17, with Microsoft being able to reproduce the issue no later than October 29. However, compatibility issues meant that Redmond failed to meet Google's deadline, and the bug has been disclosed.

"Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore, the fix is now expected in the February patches," an update from Forshaw said.

This is the second time in a week that Google has made a Windows security issue public, despite Microsoft working to correct the flaw, and asking Google to delay disclosure.

"We asked Google to work with us to protect customers by withholding details [on CVE-2015-0004] until Tuesday, January 13, when we will be releasing a fix," wrote Chris Betz, senior director of the Microsoft Security Response Center, in a blog post.

"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

Betz said vulnerabilities that are privately disclosed, coordinated, and fixed are hardly ever exploited before a patch is available, and a "very small amount" are exploited once a fix is publicly available.

"Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves," Betz said.

A Microsoft spokesperson issued this statement: "We are not aware of any cyberattacks using the CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first. We continue to believe that security researchers should engage with software companies to privately disclose vulnerabilities and work together to further protect customers."

At the time of writing, the bug had been public for less than six hours.