Project Zero is the name of a team of security experts compiled by Google to make the internet safer. The team focuses on finding vulnerabilities in critical internet infrastructure. Thus far the team has found vulnerabilities in a variety of operating systems including Android, Linux, iOS, and Mac OS X. Microsoft has been the target of the team's latest endeavor, as a member of Project Zero recently made public a critical bug in Windows 8.1 (and possibly Windows 7) which Microsoft failed to fix in the 90-day period after the team privately disclosed the bug to them. The bug in question gives a user, or a Malware, administrator privileges to make changes to the system by clicking an .exe file. This auto-elevation of privileges means that unauthorized users or Malware could make changes to the system by bypassing all limitations of non-administrators. Microsoft has stated that users would still "need to have valid logon credentials and be able to log on locally to a targeted machine." However as pointed by Steve Dent in his engadget,com Google posts Windows 8.1 vulnerability before Microsoft can patch it, "while that should limit the damage, it doesn't mean the flaw is harmless -- a disgruntled mid-level employee with some programming skills could wreak serious harm." Microsoft was alerted of the bug on September 30, and were warned they had a 90 day period to fix the bug. While Microsoft has admitted to the bug's existence publicly, it has not stated why it has not yet been fixed, the next planned "patch Tuesday," in which Microsoft usually releases its updates, is planned for January 13, but it is unknown if the bug will be fixed then, earlier, or later.
For more information you may visit this article by Lucian Armsau which I ulitized when making this post: http://www.tomshardware.com/news/google-critical-windows-bug-unfixed,28294.html
Or you may visit the before-mentioned article by Steve Dent: http://www.engadget.com/2015/01/02/google-posts-unpatched-microsoft-bug/
No comments:
Post a Comment