- Jun 9, 2013
- 6,720
On December 29, Google published the Microsoft Windows 8.1 vulnerability after giving the company 90 days to fix. The Windows vulnerability gives a low level user administrator rights on Windows 8.1. Interesting enough, Microsoft had not acknowledged the fact since the vulnerability was discovered on September 30.
For security reasons, it is ideal to do the most work with the least amount of privileges in order to prevent malware. It also prevents mischievous actions being conducted on the computer. If you conduct your daily routine with elevated or administrated privileges, chances are pretty good you will allow malware to be installed without you knowing it.
Why did Microsoft not fix this?
Its mind boggling why Microsoft never addressed the vulnerability or even try to eliminate the vulnerability. Microsoft did release a statement to Endgadget:
“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid login credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”
Google’s proactive approach to fighting Zero Day vulnerabilities
All though Microsoft did not appreciate the publishing by Google’s Project Zero, Google and the new formed team did respond that there are obligations that companies need to adhere by in order to keep and maintain the trust of the people who rely on their technology. Project Zero offered their policy about disclosures on vulnerabilities and software vendor responsibilities by responding to Microsoft, saying:
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
For security reasons, it is ideal to do the most work with the least amount of privileges in order to prevent malware. It also prevents mischievous actions being conducted on the computer. If you conduct your daily routine with elevated or administrated privileges, chances are pretty good you will allow malware to be installed without you knowing it.
Why did Microsoft not fix this?
Its mind boggling why Microsoft never addressed the vulnerability or even try to eliminate the vulnerability. Microsoft did release a statement to Endgadget:
“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid login credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”
Google’s proactive approach to fighting Zero Day vulnerabilities
All though Microsoft did not appreciate the publishing by Google’s Project Zero, Google and the new formed team did respond that there are obligations that companies need to adhere by in order to keep and maintain the trust of the people who rely on their technology. Project Zero offered their policy about disclosures on vulnerabilities and software vendor responsibilities by responding to Microsoft, saying:“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
