Elevation of Privilege is a key component of the design phase in the Microsoft Security Development Lifecycle. It is one of the ways to go about threat modeling, and it helps to figure out potential threats software, and computer systems might face. Needless to say, security bugs in Elevation of Privilege and other essential security components are not something one would want to have. However, there recently was a backlash between Google and Microsoft because the former revealed a security bug in Windows 8.1 related to Elevation of Privilege before Microsoft issued a patch.
How did the Elevation of Privilege bug come about?
Google detected the bug and reported it on September 30th, 2014. However, according to the report, the bug was a “subject to a 90-day disclosure online.” It meant that unless Microsoft releases a patch for bug, the information about the bug would be available for the public. Consequently, Google disclosed the information about this vulnerability because the patch wasn’t released within the 90-day window. That didn’t sit well with Microsoft because the patch release was just days away. In their official statement, the company claimed that Google was asked to withhold the information on the bug, as disclosing such a vulnerability before a fix is broadly available is a “disservice to millions of people and the systems they depend upon.”
What is the Elevation of Privilege bug all about?
The problem with the Elevation of Privilege in ahcache.sys is related to impersonation tokens. With Windows 8.1 update one particular system call cashes application compatibility data. This data can later on be accessed by a user, but new cache entries can only be added by the administrator. The Elevation in Privilege bug presents vulnerability in this function because it doesn’t check the impersonation token properly. As a result, it is not determined correctly whether the user, who adds cache entries, is really an administrator. It would be only a question of time of how cyber criminals could exploit this vulnerability. What’s more, it is clear why Microsoft was not happy about Google disclosing it in public.
What’s in it for Google?
While most of the blogs and news portals, that deal with security news, reported about this issue, whenever it came to Google’s official stance, most of the time, it was said that Google was not available for comment.
It is true that by revealing Elevation of Privilege flaw, Google exposed multiple computers to potential exploitation, but at the same time, it has given a 90-day deadline for the patch release. Therefore, some bloggers praised Google for sticking to its word.
Commentators also pointed out that 90 days is a period long enough to come up with a security patch, but at the same time, hurrying with the patch release may introduce new risk and vulnerabilities to the system. On its own right, Google published a statement that said the 90-day deadline has been decided after “many years of careful consideration and industry-wide discussions about vulnerability remediation.”
It seems like now software vendors have a new watchdog that will not take any excuse for granted. Whether it is for the better or worse, we believe that eventually users are going to be the ones who benefit from it.