Google has published details of a Windows 8.1 security exploit that could see the lowest level users obtaining total administrative control of a system running the operating system, Slash Gear reports.
Google has published details of a Windows 8.1 security exploit that could see the lowest level users obtaining total administrative control of a computer running the operating system, Slash Gear reports.
The bug was exposed as part of Google’s Project Zero project, which tracks bugs in software and reports the exploits to the owner, so that they can be fixed. 90 days later, the Google automatically publishes the exploit after its effects have been neutered. In this instance, however, Google appears to have published the bug despite Microsoft as yet having not issued a fix for it, SC Magazine explains.
The disclosure of the Windows 8.1 security exploit has led to some discussion on the internet about the risks of automatically disclosing bugs after 90 days. Responding to comments on Project Zero about the post, Google security engineer Ben Hawkes thanked users for the “robust discussion” on the policy, but defended Google’s decision to stick to the 90 day deadline, writing: “Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.”
“With that said, we’re going to be monitoring the effects of this policy very closely … We’re happy to say that initial results have shown that the majority of the bugs that we have reported … get fixed under deadline, which is a testament to the hard work of the vendors,” he added.
Speaking to The Register via email, a Microsoft spokesperson explained that the company is working on a security update to fix the exploit, adding, “It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”