Security

GRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAY

Redmond ran out of time to patch Windows flaw

Google has once again decided Microsoft's moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week.

The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently.

Google's Project Zero dropped the bug in line with its 90-day fix-it-or-else disclosure policy which this week ruffled its foe's feathers after a serious flaw was revealed two days before Redmond issued a fix.

Microsoft asked for the disclosure of that particular bug be held back slightly until it could be dealt with on Patch Tuesday, to reduce impact on customers.

Microsoft senior director Chris Betz said Google's actions are not useful, as they have the potential to hurt Windows users.

The Choc Factory for its part was sticking fast.

Google appears to be flinging fudge at all netizens that don't take patching seriously: coupled with its tight 90-day dump rule, the software giant also refused to fix a serious WebView flaw in its own Android platform for the old but hugely popular version 4.3.

It is estimated that close to a one billion users - 60 percent of the Android customer base - would be impacted unless they updated their phones and tablets. That feat's not simple, as device manufacturers and telcos need to get in on the act and push out Google's latest updates.

One alternative is for users to install supported modified operating systems such as Cyanogenmod that, while stable, may require a process too alien and fiddly for the non-technical masses.

Google said it was difficult to fix the WebView hole due to its integration into the core system as opposed to it running in Google Play services for later Android platforms.

The newly-disclosed Windows vulnerability affected the function CryptProtectMemory which together with an encryption key could allow memory sharing and logon session ID extraction between processes.

The flaw was in the CNG.sys implementation, which failed to run proper token checks meaning logon session IDs a normal user could decrypt or encrypt data for that logon session.

"This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section," the Google report says.

"This behaviour of course might be design, however not having been party to the design it's hard to tell." ®

Sponsored: The Nuts and Bolts of Ransomware in 2016