Google Project Zero is an initiative by Google to figure out vulnerabilities in various software platforms to help make the software’s more secure which proportionally makes the users using those software’s to stay protected.
After Google first published Windows 8.1 vulnerability, Microsoft was annoyed that the team at Google Project Zero shouldn’t have disclosed the Windows vulnerability in public. Microsoft made a statement on it’s official blog regarding it. They mentioned that Google should not disclose “sensitive” vulnerabilities no matter it’s their duty.
Well, after Microsoft made that statement Google got hands on more Windows vulnerabilities. It now seems that Microsoft has to provide a security patch soon or it’s customers aren’t going to like that.
Let us look at the 5 vulnerabilities that were recently disclosed to the public by the Google Project Zero team.
Windows 7 32/64 bit Security Bypass
This vulnerability has been categorized to “Security Bypass” vulnerability, which means it is a serious problem for Windows 7 users. The problem is at the function used to perform the security check on your Windows when you access your computer.
On Windows 7 this check is bypassable because the function doesn’t take into account the impersonation level of the token and the rest of the code also doesn’t take it into account.Therefore you can impersonate an administrator’s token as a normal user (through linked token or kidnapping a system token) and call the protected functions. Well, if you aren’t a programmer these things might bounce through your brains. In other words the above described vulnerability can exploit the access to anyone’s computer running on Windows 7 32/64 bit.
And you can be sure that Google’s angry at Microsoft because it’s team has described the status of PATCH FIX as ” Won’t Fix“.
Windows 7 and Windows 8.1 Update 32/64 bit ByPass
This vulnerability is also of the same category as the above, without being more specific it is also a loophole through which any attacker can disclose information from your computer.
API Information Disclosure
This is not a complete security issue. But at some point of defense security it appears as a bug which may pose a threat later.
Well, Vulnerability 4 and 5 are complicated for a normal reader so, if you are an expert programmer you may refer the Google Project Zero’s official site.
Have anything to add to this news ?? Feel free to comment below.