The popular cyber security expert Tavis Ormandy,
The vulnerability, rated as high-severity, affects all versions of Microsoft Windows from Windows XP. Ormandy disclosed technical details
Ormandy explained that the
The flaw resides in the way MSCTF clients and server communicate with each other. The vulnerability could allow a low privileged or a
According to Ormandy the lack of access control or any kind of authentication could allow any application, any user and even
“Now that I can compromise any CTF client, how do I find something useful to compromise?” reads a blog post published by the expert. “There is no access control in CTF, so you could connect to another user’s active session and take over any application, or wait for an Administrator to
Ormandy explained that the flaw in CTF protocol could allow attackers to bypass User Interface Privilege Isolation (UIPI), allowing an unprivileged process to:
The expert published video proof-of-concept that shows how to trigger the flaw in Windows 10 to gain SYSTEM privileges.
Ormandy pointed out that the CTF protocol also contains several memory corruption vulnerabilities that can be exploited in a default configuration.
“Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol,” the researcher concluded.
Ormandy released a tool dubbed CTF Exploration Tool he has developed to discover security issues in the Windows CTF protocol.
Ormandy responsibly reported the flaws to Microsoft in