It has not been a good week for Microsoft when it comes to security, with Google’s Project Zero continuing to hammer on Microsoft’s operating system and browser, and the company not being able to keep up with the patching.
Unlike the earlier Edge issues, the new flaw, discovered by Google’s hit squad in November, affects the operating system and not the browser, and despite being given 3 months and a 14 day extension, Microsoft has not been able to push out a fix before Google revealed the flaw to the public and potential hackers.
Google rates the privilege escalation flaw as “high severity”. It allows users to assign an arbitrary security descriptor to an arbitrary file leading to an elevation of privilege, which is commonly used by cyber attackers to gain administrator privileges to move unfettered inside targeted networks or systems.
The flaw, in the SvcMoveFileInheritSecurity function call, would allow hackers to modify system files despite those files being marked read-only, and would potentially allow other users on a network to modify the file.
Google has posted a proof of concept where they create a text file in the Windows folder, and uses the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor to allow access to everyone.
While Google rated it as High severity, Microsoft only called it “important,”, noting it cannot be exploited remotely or from inside a sandbox such as Edge and Chrome. Hackers however often chain together a number of vulnerabilities, making even a limited flaw dangerous.
Windows users will presumably have to wait until next Patch Tuesday next month for a fix. So far there are no reports of the flaw being exploited in the wild.
Read more about the vulnerability at Google here.