Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

Google Discloses 20-Yr-Outdated Unpatched Flaw Affecting All Variations of Home windows

View Reddit by DeveloperChrisView Source

17 COMMENTS

  1. So basically, there’s a component in Windows responsible for managing the text shown in windows. Applications talk to this component and, for fairly obvious reasons, the component needs to be able to disambiguate between the different programs that are talking to it. The way this is done is by having the program *tell* the component which program it is—and the component *believes it*, without verification. Since the component is running with high privilege levels and can more-or-less do anything in the system, this is *Very Bad*.

  2. > The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.

    MSCTF… Microsoft Capture The Flag

  3. >For its part, Microsoft told ZDNet they patched the bug Ormandy reported this month. The CTF protocol vulnerability and fixes are tracked as CVE-2019-1162.
    >
    >But as the vulnerability are deeply ingrained in the protocol and its design, it will remain to be seen if patches Microsoft released today as part of the August 2019 Patch Tuesday are enough.
    >
    >”It will be interesting to see how Microsoft decides to modernize the protocol,” Ormandy wondered.”

  4. This is the best tl;dr I could make, [original](https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html?m=1) reduced by 82%. (I’m a bot)
    *****
    > A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.

    > In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central authority to handle communications between all clients, which are actually windows for each process running on the same session.

    > The researcher has also released a custom open-source "CTF Exploration Tool" on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.

    *****
    [**Extended Summary**](http://np.reddit.com/r/autotldr/comments/cqpi14/google_discloses_20yearold_unpatched_flaw/) | [FAQ](http://np.reddit.com/r/autotldr/comments/31b9fm/faq_autotldr_bot/ “Version 2.02, ~420188 tl;drs so far.”) | [Feedback](http://np.reddit.com/message/compose?to=%23autotldr “PM’s and comments are monitored, constructive feedback is welcome.”) | *Top* *keywords*: **window**^#1 **application**^#2 **CTF**^#3 **any**^#4 **session**^#5

  5. I have been running windows 7 and have refused to upgrade ever since I logged into a windows server and saw some ads and weather in there (I know, you can turn it off).

    Windows 7 will cease to be supported around the end of 2019, so I am planning to move to a Linux desktop that hosts windows VMs for my business needs. I generally use Centos for work, but I think I will use Ubuntu in this case since it seems to lead in the desktop area.

Leave a Reply