Google’s Project zero is a team of developers who spend some of their time on research that makes the internet safer by identifying security loopholes. This elite team of bug hunting hackers discovered vulnerability in Windows 8.1 that could give low-level users’ administrator’s rights.

Every bug that they discover is filed in an external database and initially reported only to the software vendors. The bugs that are identified are subject to a 90 day disclosure deadline within which the vendors are expected to fix it. If the deadline elapses, the bug report is automatically made visible to the public.

A researcher detected a Windows 8.1 bug that gave lower-level users access to sensitive server functions by an elevation of privileges that they would normally have no right to. The Zero team reported it to Microsoft on September 30 and reaching the 90 day deadline with the Windows 8.1 bug unpatched, they posted the details of the exploits online. Here is Mountain View’s statement on the same, “just to make this absolutely clear, the (bug) was reported to Microsoft on September 30 (along with) the 90-day disclosure deadline statement… which in this instance has passed.”

This issue has sparked considerable debate over the internet. Some commend Google for its great research and support its decision of exposing the vulnerability to the general masses. There are millions of people who may currently be running the insecure system, this enables them to be aware of the threat and take preventive countermeasures if needed; simultaneously pressurizing the manufacturers and developers to fix their products. On the other hand, some consider it outrageous and irresponsible of Google to disclose such sensitive information.

Meanwhile concerning the Windows 8.1 bug Microsoft says that they are “working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”

Although the need for logon credentials limits the damage, its potency as a security pothole must not be undermined. A disgruntled employee with some programming skills could easily wreak havoc. As the debate on whether releasing the code was ethical and responsible or not on Google’s part, the following statement was released by a Project Zero’s researcher:

Thanks for the robust discussion everyone. We’ve been watching this thread develop, and although the bug tracker is intended for technical analysis and bookkeeping related to the specific issue described, we’re happy to give a little bit of leeway initially as there are some important process/policy issues being raised. Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the “Reported” label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.

With that said, we’re going to be monitoring the effects of this policy very closely – we want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security. We’re happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors. Thanks!Ben (Project Zero Researcher)