Google discloses zero-day bug in Windows

Google’s Project Zero team has publicly disclosed a zero-day vulnerability in Microsoft Windows 8.1 after giving the software giant three months to patch the flaw.

Project Zero,Google’s security research team, published details of the bug online on December 29, 2014 after having discovered the vulnerability 90 days prior.

The flaw is in NtApphelpCacheControl, a function that is used for caching application compatibility information, and could be used to bypass user account control and allow a malicious application to act as an administrator.

According to Sophos security blog, the flaw can only be exploited if a device has already been compromised.

Although Google has given Microsoft 90 days to effectively patch the flaw, the Windows creator has not released a fix.

Meanwhile, Google's page detailing the vulnerability has been filled with comments from users who said this flaw's exposure could impact billions and its release would ultimately harm Windows users.

A Microsoft spokesperson said the company is working to release a security update and reminds users to remain vigilant on security practices.

“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,” the spokesperson said in an email to SC Magazine. “We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer.”

Google didn't respond to a request for comment.

Microsoft's next Patch Tuesday is next week, on January 13.