Another day, another “Oh My God! What were they thinking!” moment for Microsoft. A critical flaw in the design of Microsoft’s operating systems stretching back to Windows XP has been discovered by Google’s Project Zero research team member Tavis Ormandy. The flaw in the design of the CTF process, used to manage communication between user elements on a Windows OS, allows an attacker to send any command to any window or hijack existing CTF sessions. In other words, this is an attacker’s dream toolkit for taking full control of a victim’s computer through escalation of privilege. Tavis has just published a proof of concept video showing exploitation of the flaw.
Because the critical design flaw is the lack of access control in CTF – it basically allows anything to communicate with anything without authentication, it will be interesting to see how it can be effectively fixed. Microsoft released a patch yesterday, CVE-2019-1162, which supposedly addresses the issue. I’m looking forward to an update from the Project Zero team on the effectiveness of the patch.
Part of the issue here concerns the age of the flaw – this stretches back almost 20 years. As the Windows operating systems have evolved over time, they just build on and updated the components that were already there. If there was not proper security design in the initial development, any flaws will continue to be passed down to succeeding generations through inertia and the lack of regression testing.
In the interim, make sure to apply your Windows OS patches promptly!