Video: Meltdown-Spectre attack variants discovered
Google's Project Zero has revealed another unpatched flaw affecting Windows 10 because Microsoft missed its 90-day deadline to patch or disclose.
After last week revealing a Windows 10 exploit mitigation bypass that Microsoft couldn't fix in time, Google on Tuesday revealed another security issue in Windows 10 -- this time one that Microsoft appeared to have fixed in February's Patch Tuesday but didn't, according to Project Zero researcher James Forshaw.
Forshaw in November reported to Microsoft a pair of bugs affecting the same function in Windows 10. The bugs are labeled by Google as issue 1427 and issue 1428, which include proof-of-concept code that demonstrates the flaw.
The bug was assigned the ID CVE-2018-0826, which Microsoft addressed this month, rating it as 'important' and 'more likely' to be exploited.
"An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context," wrote Microsoft.
"To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system."
However, according to Forshaw, Microsoft's patch only resolved issue 1427, despite his having filed two reports to ensure this "edge case" described in issue 1428 wasn't missed.
"Note this is a second bug in the same function. I'm submitting it separately just to ensure that the resulting fix doesn't miss this edge case as well," Forshaw wrote in November.
This week he updated the post: "After reviewing the patch for this issue [Microsoft] have not fixed it even though the report was quite specific about not forgetting about this edge case. Therefore as it's not actually fixed, the status has been reverted to New."
According to Forshaw's timeline, evaluators at Redmond decided the two issues were duplicates.
Forshaw noted there are several factors that explain the difference between Google's assessment this is a "high" severity issue while Microsoft only rates it as "important".
"MS consider this to be an 'important' issue, but crucially not a 'critical' issue. This is because this issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However, to execute the exploit you'd have to already be running code on the system at a normal user privilege level," Forshaw writes.
"It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as 'high severity' reflects the ease of exploitation for the type of issue. It's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place."
Microsoft also updated its guidance to Google on the exploit mitigation bypass. Redmond was confident it could fix the issue in its March update, but has since told Google it doesn't have a date for the fix's availability due to its complexity.
"[Microsoft Security Response Center] reached out to me to clarify that, because of the complexity of the fix, they do not yet have a fixed date set as of yet," wrote Project Zero researcher Ivan Fratric.
Previous and related coverage
Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.
Microsoft's February patches include its mitigations for Meltdown-Spectre CPU attacks in its Security Only update.
Microsoft is adding Windows 7 SP1 and Windows 8.1 to the list of protected end-points covered by Windows Defender ATP, starting this summer.