20-year-old Microsoft zero-day remains unpatched

Tavis Ormandy, a hacker at Google’s Project Zero team, was still able to trace the 20-year-old vulnerability on windows that is still unpatched. According to Ormandy, this vulnerability is a “high-level severity,” and it is currently affecting all Windows operating systems from XP. The issue lies with the msCTF module of the windows kernel.

The msCTF subsystem is a part of the TSF (Text Services Framework). It manages the input methods, keyboard layouts, text processing, and other issues. The vulnerability would allow data to be written or copied to a higher privileged application.

The lack of authentication could allow any application, any user — and even sandboxed processes — to “Allow” and couple to CTF session. In a sense, it enables CTF to get a hold of the window’s information from any time it has been used, getting other applications to attach and access you by pretending to be a CTFlie about thread id, process id, and HWND while remaining undetected by the sandbox.

“There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to login and compromise their session,” Ormandy explained that if a CTF protocol fails to work correctly this will result in hacker bypassing User Interface Privilege Isolation or the (UIPI).

The UIPI is a part of the User Account Control set which isolates high privileged programs from lower-privileged programs. The processes that are using the same interactive desktop cannot send each other messages based on their integrity levels — thus, preventing the shattered attack.

If the UIPI is bypassed, this will allow an unprivileged process to: read information coming from applications of window operating system devices such as passwords and alike, gain privileges to access the system, take total control of the UAC, and to control sandbox system by sending information for it to be unsandboxed. With these bypasses, it makes hackers access and gather information faster and much more efficiently.

Adding to the problem, Ormandy pinpoints a memory corruption vulnerability linking to the CTF protocol. The said memory corruption vulnerability can be made of full use in a default configuration. 

Memory corruption only happens when the contents — where the memory is stored — is modified or changed to the extent that it even bypasses the desired intention of the algorithm and exceeds its original function. This is termed violating memory safety. Most cases that the memory is corrupted is due to a programming error.

With the memory corrupted, all the programs and files that was being used in the said corrupted program would be lost; this valuable information is also at risk. 

“Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol,” the researcher concluded.

Microsoft has been having a lot of issues when it comes to hackers and vulnerabilities from their system. Seven days ago, Microsoft also warned people about a vulnerability exploitable for SWAPGS attacks on their system.

This vulnerability is also affecting windows computer and letting hackers gain access and acquire personal information from your device. SWAPGS is a type of attack that swaps the memory of the user to the attacker, thus gaining all information within it.

Luckily, Microsoft released updates to mitigate the problem caused by the SWAPGS issue and, henceforth, established a better system. With this, Microsoft is working closely with both its researchers and industry partners to make the customer feel more secure in using their products.

As stated by Microsoft on an official announcement, they have released security updates in July and sent information to customers to apply the updates on their devices and protect them automatically.

Microsoft may have some flaws in their system, but it does not stop them to correct it and improve it to produce a much better algorithm. With every flaw that hackers and researchers detect, Microsoft is making a resolution to the problem right away, thus controlling the number of people getting targeted and attacked to a bare minimum.

Be the first to comment on "20-year-old Microsoft zero-day remains unpatched"

Leave a comment

Your email address will not be published.