ArsTechnica’s Analysis of Windows Text Services Security Vunerability

ArsTechnica has a through explanation of Microsoft’s Text Services vulnerability that Google’s Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week.

[Google’s Tavis] Ormandy didn’t start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn’t send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn’t the case: some of his inter-process messages unexpectedly went through.

Once Ormandy identified the culprit as MSCTF.DLL, the next step was figuring out what could be done with it. As he discovered, the answer was “pretty much anything you’d like.” The CTF protocol is a legacy system dating back to 2001’s Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants.

. . .

This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass AppContainer Isolation used in the newest and supposedly most securely designed applications, such as Microsoft Edge.

Post Revisions:

Leave a Reply