ArsTechnica’s Analysis of Windows Text Services Security Vunerability

You are viewing an old revision of this post, from August 18, 2019 @ 15:47:00. See below for differences between this version and the current revision.

ArsTechnica has a through explanation of Microsoft’s Text Services vulnerability that Google’s Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week.

[Google’s Tavis] Ormandy didn’t start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn’t send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn’t the case: some of his inter-process messages unexpectedly went through.

Once Ormandy identified the culprit as MSCTF.DLL, the next step was figuring out what could be done with it. As he discovered, the answer was “pretty much anything you’d like.” The CTF protocol is a legacy system dating back to 2001’s Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants.

. . .

This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass AppContainer Isolation used in the newest and supposedly most securely designed applications, such as Microsoft Edge.

Post Revisions:

Changes:

August 18, 2019 @ 15:47:00Current Revision
Content
<!-- wp:paragraph --> <!-- wp:paragraph -->
<p>ArsTechnica has a <a href="https:/ /arstechnica.com/ information- technology/2019/08/a-look- at-the-windows-10-exploit- google-zero-disclosed-this- week/">through explanation</a> of Microsoft's Text Services vulnerability that Google's Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week. </p> <p>ArsTechnica has a <a href="https:/ /arstechnica.com/ information- technology/2019/08/a-look- at-the-windows-10-exploit- google-zero-disclosed-this- week/">through explanation</a> of Microsoft's Text Services vulnerability that Google's Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week. </p>
<!-- /wp:paragraph --> <!-- /wp:paragraph -->
<!-- wp:quote --> <!-- wp:quote -->
<blockquote class="wp-block-quote"><p> [Google's Tavis] Ormandy didn't start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn't send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn't the case: some of his inter-process messages unexpectedly went through. </p><p> Once Ormandy identified the culprit as <code>MSCTF.DLL</code>, the next step was figuring out what could be done with it. As he discovered, the answer was "pretty much anything you'd like." The CTF protocol is a legacy system dating back to 2001's Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants. </p><p>. . .</p><p>This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass <a href="https:/ /docs.microsoft.com/en-us/ windows/win32/ secauthz/appcontainer- isolation">AppContainer Isolation</a> used in the newest and supposedly most securely designed applications, such as Microsoft Edge. </p></blockquote>  <blockquote class="wp-block-quote"><p> [Google's Tavis] Ormandy didn't start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn't send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn't the case: some of his inter-process messages unexpectedly went through. </p><p> Once Ormandy identified the culprit as&nbsp;<code> MSCTF.DLL</code>, the next step was figuring out what could be done with it. As he discovered, the answer was "pretty much anything you'd like." The CTF protocol is a legacy system dating back to 2001's Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants. </p><p>. . .</p><p>This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass&nbsp;<a href="https:/ /docs.microsoft.com/en-us/ windows/win32/ secauthz/appcontainer- isolation">AppContainer Isolation</a>&nbsp;used in the newest and supposedly most securely designed applications, such as Microsoft Edge. </p></blockquote>
<!-- /wp:quote --> <!-- /wp:quote -->

Note: Spaces may be added to comparison text to allow better line wrapping.

Leave a Reply