ArsTechnica’s Analysis of Windows Text Services Security Vunerability

ArsTechnica has a through explanation of Microsoft’s Text Services vulnerability that Google’s Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week.

[Google’s Tavis] Ormandy didn’t start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn’t send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn’t the case: some of his inter-process messages unexpectedly went through.

Once Ormandy identified the culprit as MSCTF.DLL, the next step was figuring out what could be done with it. As he discovered, the answer was “pretty much anything you’d like.” The CTF protocol is a legacy system dating back to 2001’s Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants.

. . .

This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass AppContainer Isolation used in the newest and supposedly most securely designed applications, such as Microsoft Edge.

Chess Cheating Scandal

Russian grandmaster Igros Rausis has apparently been cheating his way up the international chess rankings,

Igors Rausis, at 58 the oldest among the world top 100 grandmasters, was last week caught analysing in the toilet during his game in the Strasbourg Open. Rausis later told the Czech newspaper Lidovky: “I signed a statement that I am guilty in full … I completely ruined my name and also destroyed the trust of all my colleagues and friends.”

Rausis’s steady advance up the rankings in his 50s, after many years at the 2500 moderate grandmaster level, was clearly abnormal. He played in smaller events which could not afford the strict anti-cheating measures of major tournaments, and he exploited a rule where a win against an opponent 400 or more rating points lower gains 0.8 of a point. Rausis played many games where the rating difference was much higher, so that the statistical odds favoured him.

Millennium Blades Board Games

Millennium Blades has one of the most interesting story concepts I’ve seen in a board game in awhile. The game’s conceit is that it is about a group of friends who are in turn playing the fictional CCG “Millennium Blades.”

Millennium Blades is a board game about a fictional collectible card game, which is also called Millennium Blades. You begin the game on pre-release night with just your starter deck. You’ll open new packs, form collections, and sell your junk cards on the aftermarket to buy hot new cards. Trade with your friends, build up your deck, and prepare to compete at Millennium Blades Worlds for the title of World Champion!

Millennium Blades

Enabling 2FA in DokuWiki

I’ve been doing a bit of a personal security audit lately, and updating/resetting passwords and adding 2FA wherever I can. One of the things I was pleasantly surprised to see is that DokuWiki made it fairly straightforward to add 2FA to my wiki.

The work to enable this was done by plugin developer Michael Wilmes, and involved installing a number of plugins that Wilmes developed.

  1. First, using the DokuWiki extension manager, install the Attribute plugin.
  2. Next, install the Two Factor Authentication – Core Plugin. As the title suggests, this installs a 2FA framework within DokuWiki.
  3. Finally, install any of the five 2FA modules. There are ones for email, an alternate email, Google Authenticator, and SMS.

I was only interested in the Google Authenticator plugin module. After installing it, it worked like a charm. My login page now looks like this, and will not let me login without the 2FA code:

DokuWiki 2FA-enabled Login Page
DokuWiki 2FA-enabled Login Page