View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 5, 2015

Google reveals Windows 8.1 zero-day

Flaw remains unpatched 90 days after private disclosure to Microsoft.

By Jimmy Nicholls

Google has publicly revealed an unpatched Windows zero-day bug, following the lapse of a three-month waiting period after private disclosure.

The flaw potentially allows escalation of privilege on Windows 8.1 and comes more than a week ahead of the next regular Microsoft Patch Tuesday update, due to take place on January 13.

A spokesman from Microsoft said: "We are working to release a security update to address an elevation of privilege issue."

"It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine."

Hackers can gain admin rights through a bug with the application compatibility data cache on Windows 8.1, which fails to check impersonation tokens correctly and thus allows hackers to gain control over systems, according to Google researcher James Forshaw.

He added that it was "unclear" whether Windows 7 is vulnerable to a similar attack, though he said it might be possible to bypass checks on the older OS to escalate privilege.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.