Google’s Project Zero team has publicly disclosed a zero-day vulnerability in Microsoft Windows 8.1 after giving the software giant three months to patch the flaw.
The flaw is in NtApphelpCacheControl, a function that is used for caching application compatibility information, and could be used to bypass user account control and allow a malicious application to act as an administrator.
According to Sophos security blog, the flaw can only be exploited if a device has already been compromised.
Although Google has given Microsoft 90 days to effectively patch the flaw, the Windows creator has not released a fix.
Meanwhile, Google's page detailing the vulnerability has been filled with comments from users who said this flaw's exposure could impact billions and its release would ultimately harm Windows users.
A Microsoft spokesperson said the company is working to release a security update and reminds users to remain vigilant on security practices.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine,” the spokesperson said in an email to SC Magazine. “We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer.”
Google didn't respond to a request for comment.
Microsoft's next Patch Tuesday is next week, on January 13.