Google released details of a new privilege escalation vulnerability in Windows just as Microsoft was getting ready to send out a patch.
The issue is the vulnerability first came to Microsoft’s attention over 90 days ago and Google’s Project Zero automatically released the details when the Redmond software giant did not release a patch within the 90-day disclosure deadline.
“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so),” Google said in its report. “In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced.”
“However, there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” Google said.
A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 published, but researchers said the vulnerability also affects Windows 7.
In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, Google told Microsoft the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.
In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.