Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Microsoft Bug Security IT Technology

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP (zdnet.com) 64

Posted by msmash from the security-woes dept.
CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design.

What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.
This discussion has been archived. No new comments can be posted.

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP More

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP

Comments Filter:

  • That's very considerate (Score:3)

    by mandark1967 ( 630856 ) on Tuesday August 13, 2019 @03:51PM (#59084020) Homepage Journal
    Not everyone includes backwards compatibility in their coding

    • Dumbass Security Expert of The Day

      "malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole."

      Well . . . DUH! . . . . If you already have malware on your computer, *THAT* is your biggest problem.

      • "... hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole."

        "Well . . . DUH! . . . . If you already have malware on your computer, *THAT* is your biggest problem."

        It was rather convenient that you left the important part off isn't it? Because once you add the part you left out, and one realizes that there are these places called libraries as well as other places where people are allowed to u

      • Re:That's very considerate (Score:4, Insightful)

        by xQx ( 5744 ) on Tuesday August 13, 2019 @07:41PM (#59084602)

        What is the world coming to when the average slashdot user doesn't understand the seriousness of privilege escalation?

        This exploit makes any interactive user (or any process run by any interactive user) an administrator.

        So, of course it's not much of a problem for home PC's where everybody is an administrator anyway;

        But, That's a REALLY big problem for anybody who manages a windows computer in a corporate or educational environment.

        • I dont know what universe you live in, but in the world I live in getting admin rights on a windows box is trivial if you can execute some code.

          But here you are acting as if this time its a big deal. No. Sorry.

          • Re:That's very considerate (Score:5, Insightful)

            by xQx ( 5744 ) on Tuesday August 13, 2019 @10:37PM (#59084904)

            Getting admin rights on a windows box is trivial if you have physical access to a machine and can boot your own operating system image beside windows.

            Getting Administrator rights on a properly patched Windows machine from a regular user login is not trivial, and every time there is a bug that allows users to escalate their privileges it's a big deal.

            Almost every organisation with more than about 30 employees worldwide relies on the fact that users do not have administrative privileges.

      • Re: (Score:2)

        by Zmobie ( 2478450 )

        ... This is called a privilege escalation vulnerability https://en.wikipedia.org/wiki/... [wikipedia.org]. While you may mock this, it is not something to scoff at. Attackers routinely daisy chain exploits/attack vectors in order to achieve full system control and this is a pretty serious issue given it is ingrained in all Windows applications with an interface.

  • > hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.

    Yes, that is certainly a serious vulnerability, but let's be sure to put things in context, the malware has to get on your PC in the first place, and you don't really need exploits to get control of a Windows machine in most cases. Users are trained to just mash through any UAC dialogs, so any software running on the user's PC will pr

    • the malware has to get on your PC in the first place

      Does it? A simple browser exploit could get you when you're e.g. browsing a website that's been compromised or includes ads that weren't thoroughly screened. From there, based on the description, this lets the exploited app talk to admin processes.

      • If you're not blocking ads, you're an idiot. Still the worst vector for this shit.

        • Re:Define "exploited with ease" (Score:5, Interesting)

          by holophrastic ( 221104 ) on Tuesday August 13, 2019 @04:43PM (#59084186)

          Imagine going to a store in the mall, being greeted at the second set of shelves, and being told to go back out into the mall, walk down the hall, and look at the poster in the window of another store, then come back and continue shopping.

          Why oh why would any web-site visitor ever want to load an ad from another domain? I don't get it.

          I don't "block" ads. I simply don't leave the domain that I'm on to go and get ads. It's an instruction, not a demand. I can ignore instructions. I can ignore demands too.

          If a site wants to show me an ad, they can serve it themselves, with their own bandwidth and their own hardware. I'm fine with that.

          • Me, I simply can't understand using a 'shopping' analogy for browsing the web. I guess I buy things online once in awhile, but it's definitely far down the list of reasons I would open a web browser.

            • Do you ever discuss services via your web browser? That's also done in a mall. So is looking at art galleries, playing in a video arcade, hangin' with friends, doing research, celebrating certain things, and watching movies in the theatre.

              Do you do any of that in your web browser?

          • Incorrect analogy. All shops purchases ad service from the same company instead of providing the ad service themselves.

            But for the matter of exploit it doesn't matter. It would also be hard to screen the ads fully for all exploits unless you make sure you kill anything that's executable on the web, and that includes javascript and downloadable fonts. Many fonts contains executable code one way or another, so it's not impossible.

    • "the malware has to get on your^H^H^H^Hthe PC in the first place"

      Not every person who uses a computer is the owner. This is where your analysis goes horribly wrong. All that is necessary is for a person with ill intent to have non-privileged access. This means, for example, that in a corporate environment or library, where the owner and user are not the same, every single Windows machine is vulnerable, and all you need is one patron or employee who has been restricted to non-privileged access up until now w

    • Re: (Score:2)

      by Bert64 ( 520050 )

      For home users perhaps, for corporate deployments the users typically won't have admin rights...
      For any large company you can usually guess a weak password or trick a user into running something via phishing. Once you have the one user, you will probably find that user has unprivileged access to every workstation, so you login to a workstation used by higher privileged staff, privesc the box and install a keylogger or mimissp. Wait for the privileged user to log in and take his creds.

  • Windows XP introduced Cleartype for fonts on LCD's, so that's where my money is...

  • Let Me Google That For You (Score:3)

    by scdeimos ( 632778 ) on Tuesday August 13, 2019 @05:44PM (#59084356)

    CTF site:microsoft.com -site:social.msdn.microsoft.com

    Collaborative Translation Framework (CTF)

    There. Now how hard was that?

  • hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.

    Yet another exploit that requires the machine to be compromised already. Who cares! If it's compromised, it's compromised, there's no degrees of being compromised. It's an on/off thing. You either are, or you aren't. If you are, all bets are off. The machine has been made vulnerable ALREADY, who cares if there's more vulnerabilities on the inside. You're already in.

    When the command prompt says 'root@localhost>' there's is no point in typing 'sudo blah blah', you're already it. That's what this is

    • Re: (Score:3)

      by guruevi ( 827432 )

      It could be used to chain attacks. Eg the recent RDP exploit was initially not workable without something else to anchor it to. Many browser exploits have allowed you to send arbitrary code to arbitrary locations (such as localhost). Given this is a server client solution it seems like you could chain a relatively harmless exploit in a browser to become a keylogger.

    • Re: (Score:2)

      by xQx ( 5744 )

      What is the world coming to when the average slashdot user doesn't understand the seriousness of privilege escalation?

      This exploit makes any interactive user (or any process run by any interactive user) an administrator.

      That's a REALLY big problem for anybody who manages a windows computer in a corporate or educational environment.

      • Not to mention military. But I wouldn't be surprised if this is one exploit that NSA and other agencies have been using for their hack tools.

  • "hackers or malware that already have a foothold on a user's computer"

    So they're owned anyway.

    This is the digital equivalent of saying "if there's a burglar already inside your house, he might steal your shit".
    • The assumption that a single corrupted process does not mean total corruption of a machine is important in IT security. Ever heard of Sandboxing ?

      Always funny how the MSFT Shills want to downplay MSFT shoddiness.

  • Windows is ridiculously complicated, with hundreds if not thousands of protocols, the vast majority of which are barely used. Just fo a ps (task manager) and look at the number of daemons.

    And for what? To run office automation and a web browser.

    Linux is doing its best to catch up. SystemD is just the tip of the iceberg.

    There is no surprise that it has security holes. What is surprising is that it works at all.

  • So one of Microsoft's primary arguments in favour of the vile infestation of spyware and bloat they call Windows 10, that it is more secure, gets blown out of the water.

    I can't say I'm sorry to see its advocates left with an ostrich-sized helping of egg on their face.

    • Re: (Score:2)

      by Bert64 ( 520050 )

      They claim that it's more secure than older versions, which it is...
      Those older versions may set a very low bar, but still their claim is correct.

    • Or should I say commercial propaganda ? Windows has not changed essentially since WNT 3.51. What we got with XP, Vista, Win7, Win8-without-Windows and Win10 was just re-fashioned GUIs. The core stayed more or less the same. Of course MSFT lied through all their openings and claimed that each of these versions was "totally super new and super more secure". All lies.
    • Why, because it contains a vulnerability that every version since XP also contains? Your argument demonstrates only that you have a bug up your ass shaped like the Windows logo.

      • Yes, every version of Windows since XP contains the bug, but NOT every version of Windows since XP steals user bandwidth constantly phoning home, compromising user privacy and shoving updates down the throat of average users that have been, to say the least, problematic.

        So kindly fuck off, at least until you find somebody who can explain the basics of logic to you. I hope they can dumb down their explanation enough so it can be understood by somebody with an IQ somewhere between a flatworm and a toaster, o

  • Comment removed based on user account deletion
    • It's a lot more secure by design than it used to be, but there is no mainstream OS without vulnerabilities. Than includes hypervisor operating systems.
  • Or did. I couldn't figure out what it was for the longest time, figuring it has something to do with my Creative Labs sound cards. In part because it seemed to be related to game crashes with an audio component to them. As in the game crashes and there's angry noise coming from my speakers. I used to keep it from running because it ate resources that were always in short supply. And it seems to do absolutely nothing useful if you never change languages.

    Eventually though, I stopped caring. Now I get

Slashdot Top Deals

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Close