Google discloses unpatched Windows vulnerability

[UPDATED 2X] A Google researcher found a privilege elevation bug in Windows. After 90 days he made it public. He gives no indication that he contacted Microsoft.
Written by Larry Seltzer, Contributor

A Google researcher named forshaw has discovered and disclosed a privilege escalation bug in Windows.

I have contacted both Microsoft and Google for comment and will update the story with any reactions I receive.

Forshaw included a proof of concept (POC) program for the vulnerability. He says he has only tested it on an updated Windows 8.1 and that it is unclear whether earlier versions, Windows 7 specifically, are vulnerable.

Update on December 31: A Microsoft spokesperson provided this statement: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
Update 2 on December 31: A Google representative contacted us to point to a comment from the company on the disclosure posting. It states that Microsoft was notified of the finding on September 30, the date of the private posting. It goes on to say that the 90 day deadline policy for Google Project Zero, the program under which this research was performed, has been public information since the formation of the program earlier in 2014. The comment then defends disclosure deadlines in principle; it should be noted that most bug bounty programs include such deadlines. HP TippingPoint's Zero Day Initiative, the biggest of them, has a standard four month deadline. Google says that they will monitor the effects of the policy to see if it merits adjustment.

The vulnerability is identified in the function AhcVerifyAdminContext. This appears to be an internal function and not a public API, as a search on microsoft.com yields no hits and the only hits elsewhere are other stories referring to forshaw's report.

The proof of concept includes two program files and a set of instructions for executing it which result in the Windows calculator running as Administrator. Forshaw states that the bug is not in UAC itself, but that UAC is used in part to demonstrate the bug.

Forshaw posted the disclosure privately on September 30 on the google-security-research mailing list. At the end he stated "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public." There is no indication that he contacted Microsoft about it.

In my own attempts to run the POC I may have been successful. In the end the Windows Calculator ran, but it is not clear to me that a privilege was elevated. One test system was running Norton Security, which flagged both POC executables as malicious and quarantined them.

Editorial standards