A severe Elevation of Privilege vulnerability was detected and reported to Microsoft on September 30, but the software company has yet to produce a patch to fix it. The flaw, which allows an attacker with proper privileges to take over the computer, was identified by an engineer at Google. According to Google policy, 90 days after a flaw of this severe type is identified and reported, information will be publicly disclosed. The public disclosure went live on December 29th.
Comments to the public disclosure page on the Google Security Research site show that many believe Google is irresponsible in providing both the information and a proof-of-concept, despite the company's policies, labeling it as "shameful behavior." And, since there's always two sides to a coin, some are lauding Google for its efforts.
Still, Microsoft has had plenty chances to deliver a fix that it knew was basically a ticking time bomb.
Microsoft has issued the following response in a blatant CYA operation:
"We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
The statement is nothing special. Keeping antivirus up to date, installing updates, and running a firewall is pretty basic stuff. As with any Elevation of Privilege flaw, removing unnecessary Administrative rights from the logged-in account eliminates the threat.
But, the statement also suggests that the issue is now clearly on Microsoft's radar, if it wasn't before, and we could see a security update for this rollout during the first Patch Tuesday of 2015.
It's not evident if the flaw exists on other versions of Windows. The vulnerability was only tested and confirmed against Windows 8.1.