Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP (zdnet.com) 64
CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design.
What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.
What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.
That's very considerate (Score:3)
Re: (Score:1)
Dumbass Security Expert of The Day
"malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole."
Well . . . DUH! . . . . If you already have malware on your computer, *THAT* is your biggest problem.
Re: (Score:2)
It was rather convenient that you left the important part off isn't it? Because once you add the part you left out, and one realizes that there are these places called libraries as well as other places where people are allowed to u
Re:That's very considerate (Score:4, Insightful)
What is the world coming to when the average slashdot user doesn't understand the seriousness of privilege escalation?
This exploit makes any interactive user (or any process run by any interactive user) an administrator.
So, of course it's not much of a problem for home PC's where everybody is an administrator anyway;
But, That's a REALLY big problem for anybody who manages a windows computer in a corporate or educational environment.
Re: (Score:2)
But here you are acting as if this time its a big deal. No. Sorry.
Re:That's very considerate (Score:5, Insightful)
Getting admin rights on a windows box is trivial if you have physical access to a machine and can boot your own operating system image beside windows.
Getting Administrator rights on a properly patched Windows machine from a regular user login is not trivial, and every time there is a bug that allows users to escalate their privileges it's a big deal.
Almost every organisation with more than about 30 employees worldwide relies on the fact that users do not have administrative privileges.
Re: (Score:2)
... This is called a privilege escalation vulnerability https://en.wikipedia.org/wiki/... [wikipedia.org]. While you may mock this, it is not something to scoff at. Attackers routinely daisy chain exploits/attack vectors in order to achieve full system control and this is a pretty serious issue given it is ingrained in all Windows applications with an interface.
What CTF stands is currently unknown... (Score:2)
Re: What CTF stands is currently unknown... (Score:5, Funny)
Capture The Flag protocol, clearly, since it enables attackers.
Re: (Score:1)
Re: (Score:3, Informative)
YUP, apparently the 'security researcher' doesn't know how to use Google. And it does seem to be safe to disable it, but you should defo take a system snapshot before trying or try it in a VM 1st.
https://www.blogsdna.com/30168... [blogsdna.com]
Re: What CTF stands is currently unknown... (Score:4, Informative)
https://patents.google.com/pat... [google.com]
https://patents.google.com/pat... [google.com]
Re: (Score:2)
Re: (Score:2)
The first application turned into a patent 7,490,296 [google.com]. The claims are a bit different from the application you cited. The second one is, however, abandoned.
Re: (Score:2)
Re: What CTF stands is currently unknown... (Score:1, Interesting)
Re: (Score:2)
Re: (Score:2)
Quake2. I remember playing it with my college buddies in big LAN parties. It was so fun! :D
Re: (Score:2)
Or the original 3Wave CTF for QuakeWorld
Thunderwalker CTF added too many powerups/goodies. 3Wave became the "standard" CTF style.
Re: (Score:2)
Re: (Score:2)
I pity the thread, Fool!
Re: (Score:2)
Re: What CTF stands is currently unknown... (Score:1)
Re: (Score:2)
Re: (Score:2)
https://translate.google.com/t... [google.com]
I haven't found any references with more substance. If what they said is actually accurate, then CTF is just sort of a residue, as the current name of the thing is "Text Services Framework".
Re: (Score:2)
https://patents.google.com/pat... [google.com]
https://patents.google.com/pat... [google.com]
Re: What CTF stands is currently unknown... (Score:2)
And Clear Type is anything but clear - I prefer to call it Fuzzy Type because with it active and one of the fonts selected supporting it I get a headache and an urge to poke out the eyes of anyone that came up with it.
That damned solution really forces me to filter a lot of web sites for fonts using it to make them readable.
Re: (Score:2)
ClusTerFuck, obviously. (Score:3)
I mean, this IS windows, right? :)
Re: (Score:3)
Completely Trustworthy Functionality
Define "exploited with ease" (Score:2)
> hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.
Yes, that is certainly a serious vulnerability, but let's be sure to put things in context, the malware has to get on your PC in the first place, and you don't really need exploits to get control of a Windows machine in most cases. Users are trained to just mash through any UAC dialogs, so any software running on the user's PC will pr
Re: (Score:3)
the malware has to get on your PC in the first place
Does it? A simple browser exploit could get you when you're e.g. browsing a website that's been compromised or includes ads that weren't thoroughly screened. From there, based on the description, this lets the exploited app talk to admin processes.
Re: (Score:2)
If you're not blocking ads, you're an idiot. Still the worst vector for this shit.
Re:Define "exploited with ease" (Score:5, Interesting)
Imagine going to a store in the mall, being greeted at the second set of shelves, and being told to go back out into the mall, walk down the hall, and look at the poster in the window of another store, then come back and continue shopping.
Why oh why would any web-site visitor ever want to load an ad from another domain? I don't get it.
I don't "block" ads. I simply don't leave the domain that I'm on to go and get ads. It's an instruction, not a demand. I can ignore instructions. I can ignore demands too.
If a site wants to show me an ad, they can serve it themselves, with their own bandwidth and their own hardware. I'm fine with that.
Re: (Score:1)
Me, I simply can't understand using a 'shopping' analogy for browsing the web. I guess I buy things online once in awhile, but it's definitely far down the list of reasons I would open a web browser.
Re: (Score:2)
Do you ever discuss services via your web browser? That's also done in a mall. So is looking at art galleries, playing in a video arcade, hangin' with friends, doing research, celebrating certain things, and watching movies in the theatre.
Do you do any of that in your web browser?
Re: Define "exploited with ease" (Score:2)
Incorrect analogy. All shops purchases ad service from the same company instead of providing the ad service themselves.
But for the matter of exploit it doesn't matter. It would also be hard to screen the ads fully for all exploits unless you make sure you kill anything that's executable on the web, and that includes javascript and downloadable fonts. Many fonts contains executable code one way or another, so it's not impossible.
Re: (Score:2)
Not every person who uses a computer is the owner. This is where your analysis goes horribly wrong. All that is necessary is for a person with ill intent to have non-privileged access. This means, for example, that in a corporate environment or library, where the owner and user are not the same, every single Windows machine is vulnerable, and all you need is one patron or employee who has been restricted to non-privileged access up until now w
Re: (Score:2)
For home users perhaps, for corporate deployments the users typically won't have admin rights...
For any large company you can usually guess a weak password or trick a user into running something via phishing. Once you have the one user, you will probably find that user has unprivileged access to every workstation, so you login to a workstation used by higher privileged staff, privesc the box and install a keylogger or mimissp. Wait for the privileged user to log in and take his creds.
CTF = ClearType Font ??? (Score:2)
Re: (Score:2)
Re: (Score:2)
Let Me Google That For You (Score:3)
CTF site:microsoft.com -site:social.msdn.microsoft.com
Collaborative Translation Framework (CTF)
There. Now how hard was that?
Re:Let Me Google That For You (Score:4, Interesting)
https://patents.google.com/pat [google.com]... [google.com]
https://patents.google.com/pat [google.com]... [google.com]
Re: Let Me Google That For You (Score:2)
Mulltiple names for same thing isn't unusual.
Re: (Score:3)
https://patents.google.com/pat... [google.com]
https://patents.google.com/pat... [google.com]
This again? (Score:1)
hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.
Yet another exploit that requires the machine to be compromised already. Who cares! If it's compromised, it's compromised, there's no degrees of being compromised. It's an on/off thing. You either are, or you aren't. If you are, all bets are off. The machine has been made vulnerable ALREADY, who cares if there's more vulnerabilities on the inside. You're already in.
When the command prompt says 'root@localhost>' there's is no point in typing 'sudo blah blah', you're already it. That's what this is
Re: (Score:3)
It could be used to chain attacks. Eg the recent RDP exploit was initially not workable without something else to anchor it to. Many browser exploits have allowed you to send arbitrary code to arbitrary locations (such as localhost). Given this is a server client solution it seems like you could chain a relatively harmless exploit in a browser to become a keylogger.
Re: (Score:2)
What is the world coming to when the average slashdot user doesn't understand the seriousness of privilege escalation?
This exploit makes any interactive user (or any process run by any interactive user) an administrator.
That's a REALLY big problem for anybody who manages a windows computer in a corporate or educational environment.
Re: This again? (Score:2)
Not to mention military. But I wouldn't be surprised if this is one exploit that NSA and other agencies have been using for their hack tools.
Non Issue (Score:2)
So they're owned anyway.
This is the digital equivalent of saying "if there's a burglar already inside your house, he might steal your shit".
FALSE (Score:1)
Always funny how the MSFT Shills want to downplay MSFT shoddiness.
Complexity kills security (Score:2)
Windows is ridiculously complicated, with hundreds if not thousands of protocols, the vast majority of which are barely used. Just fo a ps (task manager) and look at the number of daemons.
And for what? To run office automation and a web browser.
Linux is doing its best to catch up. SystemD is just the tip of the iceberg.
There is no surprise that it has security holes. What is surprising is that it works at all.
OpenBSD (Score:1)
Oops, there goes Win 10's "edge" (Score:2)
So one of Microsoft's primary arguments in favour of the vile infestation of spyware and bloat they call Windows 10, that it is more secure, gets blown out of the water.
I can't say I'm sorry to see its advocates left with an ostrich-sized helping of egg on their face.
Re: (Score:2)
They claim that it's more secure than older versions, which it is...
Those older versions may set a very low bar, but still their claim is correct.
All MARKETING (Score:1)
Re: (Score:2)
Re: (Score:2)
Yes, every version of Windows since XP contains the bug, but NOT every version of Windows since XP steals user bandwidth constantly phoning home, compromising user privacy and shoving updates down the throat of average users that have been, to say the least, problematic.
So kindly fuck off, at least until you find somebody who can explain the basics of logic to you. I hope they can dumb down their explanation enough so it can be understood by somebody with an IQ somewhere between a flatworm and a toaster, o
Re: (Score:2)
Re: (Score:2)
I hate CTF. (Score:2)
Eventually though, I stopped caring. Now I get