JÃ¼rgen FÃ¤lchle - stock.adobe.c
Researchers at Google’s Project Zero unit dedicated to finding security vulnerabilities in software reported a flaw in Windows 10 in November 2017, which they claim has still not been fixed.
The disclosure comes just days after Project Zero went public with a flaw in Microsoft’s Edge browser that was also reported in November 2017, but was not fixed in the 90-day deadline the Google unit sets for software suppliers.
The latest flaw to be disclosed publicly before Microsoft has issued a patch has been classified as “high” severity by Project Zero researchers. They reported the issue to Microsoft in November, alongside another flaw in the same function.
While one flaw relating to the SvcMoveFileInheritSecurity remote procedure call (RPC) was fixed in Microsoft’s February security updates, Project Zero said analysis of the patch revealed that the other flaw has still not been fixed, despite giving Microsoft an extended grace period so that a patch could be issued on 13 February.
According to Project Zero, the the flaw that remains unfixed can be used to assign an arbitrary security descriptor to an arbitrary file leading to an elevation of privilege, which is commonly used by cyber attackers to gain administrator privileges to move unfettered inside targeted networks or systems.
The remote procedure call makes use of the MoveFileEx function call, which moves a file to a new destination. The problem occurs when the RPC moves a hardlinked file to a new directory which has inheritable access control entries (ACEs). Now even if the hardlinked file does not allow deletion, it can be allowed based on the permissions provided by the new parent directory it has been moved to.
This means that even if the file is read-only, if the server calls the SetNamedSecurityInfo on the parent directory, it will be able to assign it an arbitrary security descriptor, which would potentially allow other users on the network to modify it.
Project Zero submitted proof-of-concept code which creates a text file in the Windows folder, and abuses the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor to allow access to everyone.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
The researchers noted that Microsoft considers this to be an “important” but not “critical” issue, because although it allows elevation of privilege, it cannot be done remotely and cannot be used from a sandbox such as those used by Edge and Chrome.
However, Project Zero said it had marked the issue as “high” severity to reflect the ease of exploitation for the type of issue, and notified Microsoft that it would disclose the flaw publicly.
It remains to be seen if the public disclosure of the Windows 10 flaw will result in a patch from Microsoft, which, in response to queries by news site Neowin about an expected timeframe, issued the following statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”
Project Zero has come under fire from Microsoft in the past for disclosing vulnerabilities before they have been fixed, claiming such actions provide attackers with a window of opportunity.
Microsoft has consistently campaigned for researchers to disclose vulnerabilities only to software suppliers, saying that “responsible disclosure” to suppliers without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability.