Unpatched Windows 10 flaw: Google reveals 'high-severity' privilege escalation bug

The vulnerability, revealed by security researchers on Google's Project Zero team, allows attackers to trick Windows 10 into giving them full access to a file.

Building a slide deck, pitch, or presentation? Here are the big takeaways:

For the second time in one week, Google has revealed an unpatched vulnerability in Windows 10.
The new ‘high-severity’ flaw could allow an attacker to gain full access to a file, but typically requires local access to the PC.

Google has revealed an unpatched ‘high-severity’ vulnerability in Windows 10, the second exploitable flaw in Microsoft’s OS it has published in a week.

The latest vulnerability, revealed by security researchers on Google’s Project Zero team, allows an attacker to trick Windows 10 into giving full access to a file by manipulating how that file is handled by the OS.

Google told Microsoft about the potential exploit in November last year, and publicized the flaw on Tuesday.

It follows the decision by Google to last week publicly detail a separate ‘medium-severity’ flaw in Windows 10, which could allow malicious sites to exploit its Edge web browser. Microsoft has since told Google it doesn’t have a date for when this issue will be fixed due to its complexity.

Google has a policy of publishing details of software vulnerabilities if they are not patched within 90 days of notifying the relevant vendor.

The latest privilege escalation vulnerability is not exploitable remotely or in browsers that run in a sandbox, such as Google Chrome or Microsoft Edge.

SEE: Securing Windows policy (Tech Pro Research)

Nevertheless, researchers say it is high severity due to the ease with which it could be exploited by someone who already has the ability to remotely execute code on the computer or who is logged into the machine locally.

Google has produced proof-of-concept code that exploits the vulnerability in the latest Fall Creators Update version of the OS. The code exploits Windows 10’s Storage Services, manipulating the SvcMoveFileInheritSecurity method into letting an attacker edit a file to which they should only have read access.

Although Microsoft appeared to have fixed the vulnerability in February’s Patch Tuesday update, Project Zero researcher James Forshaw says it remains unaddressed.

According to Google, Microsoft considers the flaw to be an ‘Important’, but not a ‘Critical’, issue. This designation affects how much of a priority fixing the issue is. Microsoft had not responded to a request for comment at the time this article was published.

Windows 10 security was under the spotlight yesterday, when it was revealed that its anti-malware scan interface (AMSI) is truncating files whenever it detects a null character, leaving malicious code included after unscanned.

Also see

IT pro’s guide to effective patch management (free PDF) (TechRepublic)
Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge (ZDNet)
Windows security: New Microsoft dashboard shows PCs at risk from Meltdown-Spectre (TechRepublic)
Windows security: Microsoft issues Adobe patch to tackle Flash zero-day (ZDNet)
7 Windows 10 security features that could help prevent cyberattacks against your business (TechRepublic)

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

Unpatched Windows 10 flaw: Google reveals ‘high-severity’ privilege escalation bug