Google exposes Windows 8.1 security flaw
The search giant has uncovered a security hole in Windows 8.1 Microsoft reportedly failed to patch within its 90-day deadline


Google has exposed a security flaw in Windows 8.1, saying it decided to uncover the problem because Microsoft didn't fix it in time.
The bug, which allows application data to be cached when processes are created by an administrator, doesn't correctly check the impersonation token of the caller, meaning anyone could bypass the required checks.
The post on Google's Security Research blog said the system call, "reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check."
Hackers could potentially use this vulnerability to gain access to systems and applications on a user's computer that would normally only be available to administrators. It could also allow anyone to make themselves an administrator and access server functions.
Microsoft responded to the public exposure, saying: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
The bug was discovered as part of Google's Project Zero, which seeks out bugs in a range of operating systems and platforms before privately notifying the companies responsible for applying a fix. If the company fails to act on Google's alert within 90 days, information about the flaw is released to the wider world.
The blog continued: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.
-
Asus ZenScreen Fold OLED MQ17QH review
Reviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
By Sasha Muller
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto Networks
Case study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
By Rory Bathgate
-
Windows 10 vs Windows 8.1: Which was the best operating system?
Vs We rate Windows 10 vs Windows 8.1 in a number of key categories for professional use
By Barry Collins
-
Windows 10 vs Windows 8.1 vs Windows 7 - Microsoft OS head-to-head
Vs We pit Microsoft's most popular operating systems against each other to see which is the greatest of all time
By Mike Passingham
-
Surface Pro 3 review: Everything you need to know
Reviews Microsoft may have just fixed Surface Pro 3 battery issue
By Joe Curtis
-
Top 10 Windows 8.1 and Windows 10 apps for 2015
Best Our collection of the best and most popular Windows 8.1and Windows 10 apps to download in 2015
By Caroline Preece
-
Windows 10 vs Windows 8.1: What’s new?
Vs Windows 10 brings back the Start Button, adds multiple desktops & an adaptable interface
By Khidr Suleman
-
Gov ends £5.5m XP custom support contract
News But the Met and NHS are still using XP, leaving them potentially exposed to hackers
By Joe Curtis
-
Dell Venue 8 Pro 3000 review
Reviews A Windows 8.1 tablet with Office 365 (1-year subscription) available for a bargain £120
By Cliff Joseph
-
Dell Latitude 13 7000 Series
Reviews Find out how the Core M hybrid stacks up in terms of performance and battery life...
By Mike Jennings