Skip to main content

Google Discloses Another Microsoft Security Flaw

Google researchers found a security flaw in Microsoft's Windows 7 and 8.1 operating systems, so they publicly disclosed the details of it.  This is the third such unpatched Microsoft flaw that Google has disclosed this month. And now Microsoft is none too happy about it.

This particular flaw has to do with the way applications encrypt their data. It will likely be patched on February 10, when Microsoft releases the next round of its monthly "Patch Tuesday" security updates.

MORE: Free vs. Paid Antivirus: Avira vs. Bitdefender

The flaw works like this:  Windows 7 and 8.1 contain a function called CryptProtectMemory, which, among other things, generates a new encryption key at login, which other applications can access via a token so the applications can share data during the same login session.  But another process, called CNG.sys, doesn't properly verify these tokens, meaning someone could impersonate a computer's legitimate user to gain access to the user's data in an unencrypted form.

It's not exactly the easiest flaw to exploit; attackers would need to do something else first, like exploit another flaw first or install malware on a target's computer. "This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section," Google wrote in its documentation of the flaw. This documentation also contains instructions about how to reproduce the flaw, and could be used as a blueprint by attackers to exploit it.

As to why Google released the flaw, and why Microsoft is irked, it's all nearly as complicated as the flaw itself. The flaw was found by Google's Project Zero team, a posse of security lone rangers who scour the web looking for vulnerabilities in commonly used software. Project Zero says it privately notified Microsoft of this encryption flaw on October 17.

Microsoft planned to release a patch for it in its January Patch Tuesday updates, but it was delayed due to compatibility issues. Now here's where the real problem started: Project Zero has a strict 90-day disclosure policy. That means if a software vendor still hasn't patched the flaws Project Zero found in its software ninety days after Project Zero first notified it, Project Zero will publicly disclose the flaws.

This means that Windows users are theoretically vulnerable (or at least, more vulnerable) until Microsoft does finally release the patch. But public disclosure of flaws isn't unheard of in the security world. It's not uncommon for a software vendor to ignore or deny security flaws found by third parties (though this is not the case with Microsoft). In response, security researchers would publicly disclose flaws in order to create pressure for the vendors to actually fix them. 

But Microsoft is not happy with Google's behavior. "We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," wrote Microsoft's Chris Betz in a blog post on the Microsoft Security Response Center on January 11. Betz was referring to one of the first two vulnerabilities that Google's Project Zero disclosed this month.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.