IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google exposes Windows 8.1 security flaw

The search giant has uncovered a security hole in Windows 8.1 Microsoft reportedly failed to patch within its 90-day deadline

Google Sign

Google has exposed a security flaw in Windows 8.1, saying it decided to uncover the problem because Microsoft didn't fix it in time.

The bug, which allows application data to be cached when processes are created by an administrator, doesn't correctly check the impersonation token of the caller, meaning anyone could bypass the required checks.

The post on Google's Security Research blog said the system call, "reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check."

Hackers could potentially use this vulnerability to gain access to systems and applications on a user's computer that would normally only be available to administrators. It could also allow anyone to make themselves an administrator and access server functions.

Microsoft responded to the public exposure, saying: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

The bug was discovered as part of Google's Project Zero, which seeks out bugs in a range of operating systems and platforms before privately notifying the companies responsible for applying a fix. If the company fails to act on Google's alert within 90 days, information about the flaw is released to the wider world.

The blog continued: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022