Few weeks ago, Google had outed a vulnerability in Windows. Well ! Google has done it again. This time by a Google security researcher detailed another vulnerability in both Windows 8.1 and Windows 7. Similar to the exploit that Google had previously detailed, this vulnerability could allow a user to impersonate another ID allowing encryption and decryption of data he or she wouldn't have access to.
From the report:
"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section."
This news comes before a patch has been issued by Microsoft to fix the exploit just similar to the previous report by Google security research. However, it is important to note that the details of these security exploits are subject to a 90 day disclosure deadline. It appears, Microsoft was aware of the issue for quite sometime and fix for this is expected in February patches.
Image Courtesy : Windows Central
No comments:
Post a Comment