Google exposed Windows 10 security flaw, Microsoft responded
Recently, it has been reported that Google’s Project Zero – a team of security analysts – has exposed a security flaw in Windows 10 as Microsoft failed to fix the issue in the allotted 90-day period. The flaw has been marked as a “high” severity problem by Microsoft, which has also rated it as an important issue rather than a critical one.
In technical terms, the latest security flaw is an “Elevation of Privilege”, which basically allows a normal user to access the administrator functionalities. Let’s say if a file is read-only, through the exploit it can be made modifiable to the unprivileged users on the system.
As per the report, the flaw – labeled ‘1428’ – has been tested on Windows 10 version 1709. The security analyst who found this bug has attached a C++ code for evidence that creates a text file in the Windows folder, overwriting the security descriptor in such a way that grants access to everyone.
The security researcher states: “Some additional notes about this issue. Firstly based on the fix for issue 1427 this only affects Windows 10, it does not affect any earlier versions of Windows such as 7 or 8.1. However, I’ve not verified that to be the case but there’s no reason to believe it’s incorrect. MS consider this to be an ‘Important’ issue, but crucially not a ‘Critical’ issue. This is because this issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However, in order to execute the exploit you’d have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it’s easy to exploit, but it doesn’t take into account the prerequisites to exploiting the issue in the first place.”
Microsoft released a fix on Patch Tuesday, but that only patched the previous ‘1427’ flaw which was also exposed by Project Zero upon Microsoft failing to fix it in the required time period as well. However, this new security flaw has yet to be fixed.
Neowin asked Microsoft in regard to the time period in which the issue would be resolved. To which the tech giant responded, “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”
We would let you know when it gets patched.
For more on the technology, keep following TechJuice.