Google has revealed this month another unpatched zero-day vulnerability in Windows 7 and Windows 8.1. This is the third time, Google refuses Microsoft's call for a more flexible vulnerability disclosure deadline.
The vulnerability was documented as issue 128 from Google security research and the zero-day exploit is confirmed working for Windows 7 and even Windows 8.1. The zero-day exploit allows an application to encrypt memory for one of three scenarios, process, logon session and computer. According to Google's issue tracker, the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag) generates the encryption key based on the logon session identifier. This is for sharing memory between processes running within the same logon.
The implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken). So a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session.
Microsoft has confirmed this vulnerabilty on Jan 12th, but needed further confirmation. They planned to release a fix during January 2015 patchday, but it has postphoned due to compatibility issues to February 2015.
Cookies helps to fund this blog: Cookie settings