Twenty years, you can make a beautiful young lady become one. . . . Mature big sister.
But twenty years later, Microsoft has a loophole that has not yet been filled!
On August 14th, US time, foreign media BleepingComputer reported that Tavis Ormandy, a security researcher at Google Project Zero, found serious design flaws in the CTF subsystem (MSCTF) under the Windows Text Services Framework. It is speechless that this design flaw is simply Microsoft's "family genetic disease", from Windows XP to Windows 10 failed to get rid of the root cause.
Lei Feng.com understands that there are no design flaws in the old Windows XP base system, but as long as you install the Microsoft Office suite, MSCTF and its "carry-in" vulnerability will still come into being.
Ormandy pointed out that as long as the attacker has logged into the Windows system, he can take advantage of the MSCTF-based design flaws (which are a big deal). A hacker with two brushes can even fully invade the entire system and gain system-level control.
“This loophole has existed for almost 20 years, and no one has found it. It’s incredible. ”Ormandy added.
Ormandy also made a video presentation on YouTube to show how he used the MSCTF vulnerability to hijack the Windows login interface and gain system-level control. The system in the demo is Microsoft's latest Windows 10 operating system.
“In a nutshell, a non-privileged, low-integrity process in Windows systems prohibits sending input or reading data to a high-privilege process. ” Ormandy said. “However, the CTF broke this setting, and the inferior process of the inferiority actually turned over to the serf and sang. ”
& ldquo; With this privileged right, an attacker can send commands to a higher level command window, read passwords outside the session, and escape the IL/AppContainer sandbox by sending input to Windows without sandbox protection. control. ” Ormandy continues to explain.
In addition to the above hazards, the MSCTF design flaws allow an attacker to use an compromised application to compromise another application's CTF client, free to execute new programs. If the first compromised application has advanced privileges, the new program will get the same advanced privileges.
“This means that if you break the calculator on Windows, you can use this as a springboard to kill any CTF client. As we all know, in Windows 8 and earlier systems, breaking the calculator is a breeze. ”Ormandy added.
In addition, in the default configuration, a memory corruption vulnerability in the CTF protocol can also be exploited by an attacker, regardless of which system language or locale you are using.
In Ormandy's opinion, the potential hazards he lists are nothing more than fur. Those attackers will make you feel bad if they make up the bad.and.
The hole in the MSCTF agreement can only be half done?
In May of this year, Microsoft patched some of the problems discovered by Ormandy through the Security Upgrade Pack (CVE-2019-1162). However, it is not known whether the MSCTF agreement is still full of holes.
Microsoft pointed out that their security patch patched the Rights Upgrade Vulnerability (ALPC). Through this vulnerability, an attacker can run arbitrary code in the security context of the local system, and then implement operations such as installing programs, consulting, modifying, or deleting data. They can even generate a new account with full user rights.
It should be noted that Windows XP, which has been "discarded" by Microsoft, cannot use the patch, and Windows 7 32-bit and later Windows systems can download the upgrade.
Lei Feng.com (Public No.: Lei Feng) feels that it is not too worried. Even if it is not patched, it will be targeted by hackers. He must first pass the certification before gaining control of the system.
In addition to the in-depth analysis of the vulnerability, Ormandy also published a series of tools and code (notifying Microsoft 3 months later) that they can be used to attack Windows MSCTF design flaws.
Fortunately, a Microsoft spokesperson claimed that some related issues have been resolved in the August upgrade package that was pushed yesterday.However, some sources have revealed that Microsoft is still trying to fill the pit of design flaws.
Lei Feng Network Note: This article is compiled fromBleepingComputer.