Google's Project Zero research team has publicly revealed a flaw in Windows 8.1 after Microsoft failed to meet its 90-day patch deadline.
Google's research team privately disclosed the vulnerability to Microsoft in September.
The bug relates to an obscure Windows system called NtApphelpCacheControl and can reportedly be exploited by a hacker, with difficulty, to launch an arbitrary executable with elevated privileges.
"This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator," explained a Google researcher.
"It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user security identifier [SID] in the token to LocalSystem's SID.
"It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check.
"For this purpose, the proof of concept abuses the Background Intelligent Transfer Service and Component Object Model to get the impersonation token."
Project Zero is a security initiative launched by Google in July 2014 designed to improve global cyber security levels by identifying and disclosing security vulnerabilities.
The project initially discloses flaws privately to the firms responsible for the vulnerable systems and gives them a 90-day deadline to release a fix before making the research public.
The public disclosure of the bug has led to controversy in the security community. Some have criticised Google for its public disclosure, arguing that 90 days is insufficient time to fix such an obscure flaw.
"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," commented one user on Google's disclosure.
"This OS is run by billions. Exposing vulnerabilities like this has far reaching consequences. People could get hurt by this and it doesn't bring anyone closer to a solution," added another.
Others have praised Google, arguing that it was irresponsible of Microsoft to ignore the researcher's warnings.
"Microsoft dropped the ball, did not perform a security assessment of the new features before releasing them into production, and now has to deal with the consequences," commented one user. "Props to Google for sticking to their timetable."
It is currently unclear whether the flaw is being fixed. Microsoft had not responded to V3's request for comment at the time of publishing.
Chris Boyd, malware intelligence analyst at Malwarebytes, told V3 that the lack of firm information about whether the flaw is being exploited makes it difficult to judge how serious it is, or whether Microsoft has acted appropriately.
"While 90 days may be long enough to fix flaws found in many pieces of software, we can't say for certain what Microsoft would have to do behind the scenes to address this issue," he said.
"It can't risk introducing more vulnerabilities or flat out breaking key components by rushing a fix.
"It's too early to say how serious this is, but now Microsoft is under some visible pressure to tackle the problem one would hope the eventual patch doesn't cause more security holes further down the line."
Microsoft has been criticised for its slow response time to privately disclosed flaws in the past.
The firm failed to patch a critical vulnerability in Internet Explorer 8 leaving users open to attack over 180 days after researchers privately disclosed the bug in May 2014.
In fear of future shortage - or in preparation for its own electric car project?
New Spectre microcode patches released by Intel to fix security flaws in Skylake, Kaby Lake and Coffee Lake CPUs
But if you're running anything older you'll have to wait
Powered by servers based on Qualcomm's scalable 48-core Centriq 2400 10nm CPUs
Malware has been in circulation for more than a year