Google’s Project Zero has a policy of automatically disclosing vulnerabilities 90 days after they have been reported to a vendor. Google reported the two new security issues to Microsoft on Oct. 17, 2014, putting the 90-day deadline date for disclosure at Jan. 15. The two new security vulnerabilities include Google Security Research issue #127, which is identified as a security bypass flaw in Windows 7.
“You can impersonate an administrator’s token as a normal user (through linked token or kidnapping a system token) and call the protected functions,” Google’s advisory states. “On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it’s not vulnerable.”
Google’s advisory on issue #127 also notes that “it isn’t clear if this has a serious security impact or not.”