Google’s Project Zero unlocked details about several Windows kernel vulnerabilities that Microsoft just released patches for in February’s Patch Tuesday update and some bypasses that work against security features in the latest version of Windows 10 known as the Fall Creators Update.
Google’s team of bug hunters at Project Zero published details about three of 11 Windows kernel vulnerabilities Microsoft released patches for last week.
Microsoft said the kernel flaws were not likely to be exploited and were not rated as critical but they may nonetheless be important to fix now that Google has revealed details about the flaws.
The bug tagged as CVE-2018-0832, for example, allowed a local authenticated attacker to defeat Windows kernel address space layout randomization (KASLR) or read secrets stored in the kernel address space. Other kernel bugs Google published details about today included CVE-2018-0809, and four issues related to CVE-2018-0810.
Microsoft also now says it doesn’t know when it will patch the flaw in Edge that can be used to bypass the Windows 10 exploit mitigation feature called Arbitrary Code Guard (ACG). Google published details about the flaw last week in line with its 90-day deadline. The policy means it will disclose a bug even if the vendor hasn’t released a patch for it.
Microsoft originally said it couldn’t meet that timeframe due to the complexity of the fix but was confident it could patch the issue by the March Patch Tuesday. It’s since told Project Zero that it doesn’t have a fixed date for the fix's release.
The lack of a fixed date is notable because of Google’s “14 day grace period” that permits its researchers to delay publicly disclosing a vulnerability if a vendor notifies it before the 90 days is up and the fix arrives no longer than two weeks after the original deadline.
In a subsequent note to Google, Microsoft highlighted that the ACG bypass the search firm found needs to be chained together with another vulnerability in order to work.
“This issue is a security mitigation bypass and cannot be exploited on its own. An attacker would first need to exploit a separate vulnerability to gain some capabilities in the Edge content process (such as the ability to read and write arbitrary memory locations), after which they could use this vulnerability to gain additional capabilities (namely, the ability to run arbitrary machine code),” Google’s update reads.
The two tech giants’s different approaches to vulnerability disclosure has in the past put them at loggerheads. With the exception of Meltdown and Spectre, Project Zero maintains a fairly strict 90-day deadline. Microsoft meanwhile advocates for coordinated disclosure, typically when the vendor is prepared to release a fix.
Google’s Project Zero also today revealed details about and proof of concept exploits for flaws in Windows 10 security features that are exclusive to the latest Fall Creators Update that Microsoft assessed would likely be exploited.
One of the bugs relates to a security feature that Google’s researchers couldn’t figure out a purpose for, leading to speculation Microsoft had implemented it this way to support Windows 10’s subsystem for Linux (WSL).