Saturday, January 17, 2015

Google publishes third Windows 0-day vulnerability in a month [feedly]



----
Google publishes third Windows 0-day vulnerability in a month
// CSO Online

Google ignored Microsoft's calls for flexible vulnerability disclosure deadlines and released details of another unpatched Windows flaw, leaving users exposed for at least the next 25 days.

The new vulnerability, which was confirmed on Windows 7 and 8.1, might constitute a security feature bypass for the way applications can encrypt their memory so that data can be exchanged between processes running under the same logon session.

[ Microsoft blasts Google for vulnerability disclosure policy ]

"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session," the Google Project Zero researchers said in a description of the flaw. "This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section."

To read this article in full or to leave a comment, please click here


----

Shared via my feedly reader


Sent from my iPhone

Todd Pigram

Data Center Engineer  

1801 Superior Ave. Ste. 300 | Cleveland, OH  44114

(800) 777-7178 | toll free

(440) 268-3297 | office

(216) 224-5769 | mobile

Architects of the anyplace workspace