A look at the Windows 10 exploit Google Zero disclosed this week

by
Jim Salter
from Ars Technica - All content on (#4NB4Z)
  • ctftool-1-980x735.png

    As you can see, we're an unprivileged local user who's not allowed to monkey with things under C:WindowsSystem32. [credit: Jim Salter ]

On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root-er, system that is-on any unpatched Windows 10 system they're able to log in to. The patches for this vulnerability-along with several other serious issues-went out in this week's Patch Tuesday update.

We independently verified Ormandy's proof-of-concept, and it's precisely what it says on the tin: follow the directions and you get an nt authority\system privileged command prompt a few seconds later. We also independently verified that applying KB4512508 closed the vulnerability. After applying the August security updates, the exploit no longer works.

The full writeup of Ormandy's findings is fascinating and incredibly technically detailed. The TL;DR version is that Microsoft's Text Services Framework, which is used to provide multilingual support and has been in place since Windows XP, includes a library called MSCTF.DLL. (There's no clear documentation demonstrating what Microsoft intended CTF to stand for, but with the release of this tool, it might as well stand for Capture The Flag.)

Read 7 remaining paragraphs | Comments

index?i=vlLZB5tuyHw:RI1eL8Nfsb8:V_sGLiPB index?i=vlLZB5tuyHw:RI1eL8Nfsb8:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments