I don't think it's a bug.
Both Select Count(*) and Select Count(1) would generate the same index scan as a Select *. I'd guess that the permission check is done before the scan so if the user isn't allowed access to any of the columns in the table the permission check fails. If you are specifying a column that the user does have access to, the check passes and the plan is executed.
It's just a guess. I didn't write the code and don't have access to source code so I can't verify any of this.