Google discloses another zero-day flaw

Google has disclosed another flaw that affects both Win7 and Win8.

The Google Project Zero researchers said: “The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the log on session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.”

Although Microsoft was notified of the flaw on Oct. 17th, it was not included in this last update Tuesday due to compatibility issues.

The Google researchers were unmoved by this and stuck to their 90-day public disclosure deadline, publishing details of the flaw and a proof-of-concept exploit Thursday.

Microsoft has said that they believe that researchers should work with vendors until a fix is produced. “We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon,” Chris Betz, senior director with Microsoft’s Security Response Center, said.

However, other researchers believe that 90 days is sufficient time to produce a fix. Robert Graham, the CTO of security research firm Errata Security, said: Microsoft is just “whining” over its own inability to respond to bugs in a timely manner after over a decade of using its dominant position to dictate how vulnerabilities should be handled. “It’s now Google who sets the industry’s standard for reporting vulnerabilities.”