Google Project Zero team has once again disclosed the two unpatched Windows vulnerabilities in CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1. Microsoft, on the other hand, has come up with a statement saying that they will patch only one of the disclosed vulnerabilities in their February security bulletin, thereby mentioning that second bug is not a security issue.
These bugs were discovered by James Forshaw, the Head of Vulnerability Research at Context Information Security in the UK.
Forshaw said in his report,
“When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag), the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another, it supports extracting the logon session ID from the impersonation token.
Project Zero is a team of engineer who investigates and reports the vulnerability issues in third party apps and software and start a 90-day clock. Google discloses the bugs in public if not patched by the vendor within 90 days.
Following its policy, Google reported this bug to Microsoft on October 17, 2014 along with a 90-day deadline date for public disclosure on January 15. Microsoft was supposed to fix it in its January security bulletin released this week, but a few compatibility issues forced the company to postpone and schedule it for February security bulletin.
This is the third unpatched Windows vulnerabilities disclosed by Google in a month. Earlier this week, Forshaw also disclosed the privilege elevation flaw in Windows 8.1 just days before Microsoft planned to issue the security patch.