347 647 9001+1 714 797 8196Request a Call
Call Me

Google announces a bug in Microsoft Windows 8.1

January 5, 2015
, , , , ,

When Microsoft didn’t fix a bug within the deadline, a 90-day window period, A Google researcher has disclosed an unpatched vulnerability in Windows 8.1. This disclosure early this week, stirred up a debate if outing the vulnerability was an appropriate measure.

The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.

The vulnerability is "your average" local privilege escalation vulnerability, the same poster wrote. "That's bad and unfortunate, but it's also a fairly typical class of vulnerability, and not in the same class as those that keep people like me up at night patching servers," the poster said. "The sad reality is that these sort of vulnerabilities are a dime a dozen on Windows."

Another poster, in what may be a slight overstatement, suggested the versions of Windows affected are run by "billions" of computer users. "Exposing vulnerabilities like this has far reaching consequences," the poster wrote. "People could get hurt by this and it doesn't bring anyone closer to a solution. When an organization is as big and powerful as [Google], people working there need to think of themselves as stewards of a great power and work to be fair and regulate the harm that can come of misusing this great power when possible."

Other posters praised Google for sticking to a deadline it's had in place since it launched its Project Zero bug-tracking team last July. "No one is done any good by keeping it secret," one poster wrote. "By exposing the [vulnerability] they allow those billions who may be running vulnerable systems to be aware of the threat to their own security and take countermeasures. A patch isn't the only way to mitigate the issue. Given the nature of this vulnerability, there are other steps administrators can take to start protecting their vulnerable systems while they await a patch."

Microsoft said in a statement it is working to release a security update to the reported vulnerability. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine," a spokesman said by email. "We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer."

Google, in a statement published on Engadget, defended the release of the vulnerability information.

Google's 90-day deadline for fixing bug is "the result of many years of careful consideration and industry-wide discussions about vulnerability remediation," the company said. "Security researchers have been using roughly the same disclosure principles for the past 13 years ... and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy."

Google will monitor the effects of its policy closely, the company added. "We want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security," the company added. "We're happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors."


About the Author

Trusted by Fortune 500 Companies and 10,000 Students from 40+ countries across the globe, it is one of the leading International Training providers for Finance Certifications like FRM®, CFA®, PRM®, Business Analytics, HR Analytics, Financial Modeling, and Operational Risk Modeling. EduPristine has conducted more than 500,000 man-hours of quality training in finance.


Global Association of Risk Professionals, Inc. (GARP®) does not endorse, promote, review or warrant the accuracy of the products or services offered by EduPristine for FRM® related information, nor does it endorse any pass rates claimed by the provider. Further, GARP® is not responsible for any fees or costs paid by the user to EduPristine nor is GARP® responsible for any fees or costs of any person or entity providing any services to EduPristine Study Program. FRM®, GARP® and Global Association of Risk Professionals®, are trademarks owned by the Global Association of Risk Professionals, Inc

CFA Institute does not endorse, promote, or warrant the accuracy or quality of the products or services offered by EduPristine. CFA Institute, CFA®, Claritas® and Chartered Financial Analyst® are trademarks owned by CFA Institute.

Utmost care has been taken to ensure that there is no copyright violation or infringement in any of our content. Still, in case you feel that there is any copyright violation of any kind please send a mail to and we will rectify it.

Popular Blogs: Whatsapp Revenue Model | CFA vs CPA | CMA vs CPA | ACCA vs CPA | CFA vs FRM

Post ID = 69289