Google researcher finds leak that has been in Windows for 18 years

Spread the love

Microsoft has patched a vulnerability in a component of Windows’ text services framework, or tsf. The vulnerability was found by a security researcher at Google, who states that the vulnerability has been present in Windows since 2001.

The vulnerability was found in Windows by Tavis Ormandy, security researcher at Google’s Project Zero initiative. He investigated communication between different Windows windows, especially communication with applications that require administrator rights. During his experiments he discovered that a module called MSCTF is being loaded. He didn’t know what ctf stands for, but he did know that it is part of the Text Services Framework. This framework manages input methods, keyboard layouts, and word processing, among other things.

When loading a program, Windows opens a ctf client that receives instructions from a ctf server when changing the input, such as a different language. The client then changes the language in real time in the program. Ormandy discovered that communication between a CTF client and server is not secure.

This allows an attacker to hijack a ctf session by posing as a ctf server and sending commands to a program, he tells ZDNet. This works with any Windows program or service, including those with elevated system privileges or sandboxed processes. Attackers cannot use this method to break into Windows systems, but they can increase their privileges and thus take over systems.

The first version of ctf that Ormandy could trace dates back to 2001 and it became part of Windows XP afterwards. According to him, the protocol still contains a lot of outdated code. The researcher has published a tool on GitHub with which researchers can further analyze the CTF protocol and he says he is curious about how Microsoft will modernize CTF.

Microsoft has patched the described vulnerability as part of the August security update for supported Windows systems. Microsoft also closed two critical vulnerabilities in Windows Remote Desktop Services.

You might also like