Google published exploitable security hole two days before it would have been patched despite Microsoft asking not to

Microsoft Corp. (MSFT) had some terse words for Google Inc. (GOOG) following a Google resarcher's decision to publish an exploitable bug in Windows 8.1, days before a fix would have arrived.

I. The Bug

Google Code team member "Forshaw" initially published the bug internally on Sept. 30, 2014, also submitting it to the Microsoft Security Response Center under the ID (MSRC-20544). The bug was found in Windows process ahcache.sys/NtApphelpCacheControl, a piece of the core Window 8.1 code which was responsible for caching data for sharing between processes.

Under Windows' security restrictions only an administrator could edit the cache.  But the process had a flaw where if you grabbed the administrator's credentials from an administrative process running on the system, you could pass that id to ahcache.sys/AhcVerifyAdminContext -- code used to check the administrator's credentials.  The cod would then allow you to edit the cache, missing you were merely impersonating the administrator.

Windows 8.1
The bug published by Google endangered Windows 8.1 users. [Image Source: TopNews]

This seemingly minor bug could potentially allow you to launch a new process with administrative privileges, allowing a malicious user to takeover the machine.  "Forshaw" even published an example with a malicious executable and *.dll which launched a Calculator app running as administrator under a user account without administrative privileges.

In the original closed post "Forshaw" warns:

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

The 3 month window went by with no fix from Microsoft.  So on Dec. 29 the bug went live to the public.

II. Google Spills the Beans, Even as Microsoft Prepares Patch to Roll Out

Microsoft, though, apparently hadn't been sitting idle and -- according to its account -- had been ready to patch the bug on January's Patch Tuesday (1/13).  Microsoft patches low-level zero-day vulnerabilities on a monthly basis on the second Tuesday of each month (Patch Tuesday).

The bug in question had come in just ahead of the October Patch Tuesday, but missed the October, November, and December Patch Tuesdays as it apparently was somewhat more complex to fix than Microsoft anticipated.

But according to Microsoft's account, it told Google and "Forshaw" that it had a fix in hand and ready for January.  Google ignored this and published anyways at the end of 90 days, leaving Microsoft fuming.

MSRC Senior Director Chris Betz writes in a TechNet blog:

In terms of the software industry at large and each player’s responsibility, we believe in Coordinated Vulnerability Disclosure (CVD).  This is a topic that the security technology profession has debated for years. Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks.


CVD philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.  Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

He suggests that Google's unwillingness to try to cooperate with Microsoft's timeline is going to hurt everyone, writing:

Responding to security vulnerabilities can be a complex, extensive and time-consuming process.  As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.

To arrive at a place where important security strategies protect customers, we must work together. We appreciate and recognize the positive collaboration, information sharing and results-orientation underway with many security players today.  We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.

A user from Australian audit company Nexiom comments:

Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google. My reading of the disclosure is that it's your average local privilege escalation vulnerability. That's bad and unfortunate, but it's also a fairly typical class of vulnerability, and not in the same class as those that keep people like me up at night patching servers. The sad reality is that these sort of vulnerabilities are a dime a dozen on Windows, and the situation on Linux is pretty comparable. But disclosing it with zero context strikes me as the wrong approach.

What communication has occurred with Microsoft to date? Has the vulnerability been acknowledged? Presumably yes given there's an MSRC ID? Has there been a delay on Microsoft's end because of certain engineering complexities? Christmas has just passed and today is New Year's Eve, so realistically, many employees from both Google & Microsoft are likely on leave. That's unfortunate, security issues don't care about the time of year, but it's also the human reality. Ninety days may seem like a long time, but developing and regression testing a patch to an important operating system driver isn't typically quick or easy. Mistakes from rushing cost lots of time and money; anyone who's paid attention to recent screw-ups in MS Security Bulletins should be aware of this.

Disclosing this may have been the right thing to do. Doing so based on an automated deadline with zero context from Google strikes me as much less so. It seems to me that the relationship between Google & MSFT's respective security teams is fairly poor. Seeing things like this certainly goes a way to explaining why.

Another user "Anime Crazy" writes:

Google want to troll Microsoft than want to help.

Another user "Silver Star" blasts back:

Google is not evil. Microsoft just slept and did not fix the vulnerability in time. Good job google.

Certainly the fact that Microsoft is a competitor to Google's laptop Chrome OS, to Google's smartphone/tablet operating system Android, and to Google Search raises certain red flags.  That said, it's a little unclear where the "two days" before the patch part in the Microsoft blog comes from as the publication appears to be two weeks before the patch.
PC Guy security
Is Google being irresponsible by not cooperating with Microsoft's security updates? [Image Source: Apple]

The bug appears to be absent in Windows 10, indicating the redesign of the core components has closed this security hole even as it remained in Windows 8.1, awaiting a fix.

In closing, I should note this isn't the first time Microsoft and Google have quibbled over Google releasing details of Windows or Internet Explorer vulnerabilities.  With Google pushing for a 7-day vulnerability turnaround, it could soon start releasing Windows bugs even sooner.

Do you think Google's security researchers are playing foul by releasing bugs just weeks before Microsoft's fixes?  Or is it Microsoft's fault for taking three months to finish the fix?

Sources: Technet [Microsoft Security director], via Neowin

"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki