Google announces details of Windows 10 elevation of privilege vulnerability
Researchers at Google’s Project Zero will look for errors in various systems and software. Developers will have 90 days to fix the vulnerabilities after discovering the vulnerabilities.
If the details of these vulnerabilities have not been fixed within the specified period, the details will be made public. Of course, developers can also contact Google to seek a grace period, etc. according to the situation.
Google has repeatedly disclosed Microsoft’s unfixed security vulnerabilities. For example, Google is now disclosing the unfixed security vulnerabilities in Windows 10. What is interesting is that Microsoft is still struggling with whether this vulnerability is important or not to be fixed.
According to Google’s description, certain default rules of Windows Filtering Platform (WFP) allow executable files, which can be connected to the TCP socket of the App Container.
Therefore, attackers can use certain rules to match container sockets to inject malicious code. Google believes that Microsoft should not automatically match certain container rules.
This is essentially an abuse of the rules. Google rated the vulnerability as low. Google privately reported to Microsoft on July 8 and hoped to fix the vulnerability. Later, Microsoft contacted Google to request a grace period because the vulnerability was too complicated to fix and it took time.
Then, on July 19, Microsoft suddenly stated that the company would not solve this problem at all, because if you want to exploit the vulnerability, the container needs to be exposed on the public network.
Google researchers thought about what Microsoft said. Although the vulnerability can indeed access internal addresses, it does need to be exposed on the public Internet to be exploited.
On August 18, that is yesterday, Microsoft suddenly contacted Google and said that the company was going to fix the vulnerability. Microsoft did not elaborate on it but it seems that the vulnerability should be fixed.
Since July, only more than one month has not reached the three-month disclosure period, but Google has disclosed all the details of this vulnerability in advance.
Of course, the good news is that the rating of this vulnerability is still low risk, so it should not cause too many security problems. It is estimated that Microsoft will fix this vulnerability next month. Interested users can click here to view the full details of this vulnerability.