Google Finds 20-Year-Old Microsoft Windows Vulnerability

There's no indication that this vulnerability was ever used in the wild, but the code it was discovered in -- Microsoft's Text Services Framework -- has been around since Windows XP.

Posted on August 21, 2019 at 6:46 AM • 15 Comments

Comments

AnonymousAugust 21, 2019 7:50 AM

I bet a few bucks that the fix is not rock solid.

"Clients report their thread ID, process ID, and window handle—but there was no
verification and nothing stopping such a client from lying through its teeth to
get what it wants."

Does the patch really check in time the reported thread ID, process ID, and window handle ?
I bet not.
7df0247bda1fb218407efd5f6e04bcd4

7df0247bda1fb218407efd5f6e04bcd4August 21, 2019 7:50 AM

I bet a few bucks that the fix is not rock solid.

"Clients report their thread ID, process ID, and window handle—but there was no
verification and nothing stopping such a client from lying through its teeth to
get what it wants."

Does the patch really check in time the reported thread ID, process ID, and window handle ?
I bet not.

parabarbarianAugust 21, 2019 10:24 AM

Seems to me I saw something like this in NT. I didn't pay it much mind since I was focused on remote exploits at the time. Besides, the perception then was that Microsoft did not care much about security as long as corporations kept buying their software.

parabarbarianAugust 21, 2019 10:25 AM

Seems to me I saw something like this in NT. I didn't pay it much mind since I was focused on remote exploits at the time. Besides, the perception then was that Microsoft did not care much about security as long as corporations kept buying their software.

JeffAugust 21, 2019 11:26 AM

All non-trivial software has bugs. The more complex it is and the longer it has been around makes the bug list grow.
I wouldn't be surprised if Win10 has over 10,000 critical, remote access, bugs. Probably many more for Win7, WinXP, and all prior versions.
The same applies to Unix and Linux and BSD, though the stronger security model should help prevent OS takeover.

That's my theory.

Android is a problem. I suspect it is the least secure of all the current OSes out there and getting your devices patched 1-2 yrs after purchase is nearly impossible for most people.

tfbAugust 21, 2019 3:33 PM

@Jeff Whenever I hear someone talking about unixoids haveng a 'stronger security model' I want to hit something. Stronger than what? And the horrible possibility that not only does the thing they are purportedly stronger than exist, but that it might see significant use.

(And yes, I know about SELinux &co: that's not what I mean and I assume not what you mean.)

Petre Peter August 21, 2019 7:30 PM

It seems like Google is trying to get in the OS business as much as Microsoft is trying to get into searches. This competition should be good for consumers.

IsmarAugust 21, 2019 8:33 PM

“Capture The Flag” in Service that provides multilingual support - doesn’t get better than this for getting all sorts of ideas why this vulnerability might have stayed in Windows for such a long time

“The full writeup of Ormandy's findings is fascinating and incredibly technically detailed. The TL;DR version is that Microsoft's Text Services Framework, which is used to provide multilingual support and has been in place since Windows XP, includes a library called MSCTF.DLL. (There's no clear documentation demonstrating what Microsoft intended CTF to stand for, but with the release of this ...”

Sed Contra August 21, 2019 9:01 PM

@Petre Peter

good for consumers.

Seems unlikely, as both competitors are successful treating consumers as product, rather than serving their best interests, and whoever were to win will just be that much better at it.

ATNAugust 22, 2019 3:50 AM

I was wondering why this PC of a friend had Pinyin support installed, I removed it few weeks ago because such PC never had contact with any other input/output than Roman alphabet.
Never fix a bug which is not actively exploited?

Clive RobinsonAugust 22, 2019 5:38 AM

@ tfb, Jeff,

Whenever I hear someone talking about unixoids having a 'stronger security model' I want to hit something.

This has been going on for at least as long as the 286 Processor has existed...

The thing that history teaches us in ICTsec is,

    The less market share an OS has the less likely it is to be generally[1] attacked.

Which if you think about it is the malware writers/developers sensibly putting their effort where it potentially has the best ROI for them. So not just "low hanging fruit" but "biggest orchard" as well.

Also there is the fact that, the more popular an OS is, the more criminals there are that use and know it. Which is a mirror of the general population of which criminals are just a small fraction. After all "familiarity breeds contempt" as well as experience.

So in general it's kind of a Problem-Squared issue, and the popular OS gets way more malware attention than would be expected for it's market share. Which in turn makes the small market share OS look way more secure than it realy is. That is in the general case malware is a numbers game that reflects the current state of the consumer marketplace not the the relative merrits of the products in that marketplace.

So much so in fact, it kind of flies in the face of the old saying about "obscurity"... Which means that if the OS developers for different OS's are equally as skilled and on average each OS is about as secure (which they are), then at any given time there can indeed be some safety in obscurity, all be it fleetingly.

We actually saw this in play a few years back with "Security Personalities" recomending Apple-over-Microsoft, then at other times Linux-over-Microsoft etc. But as each new "personality" recomended OS become more popular, general "fire and forget" malware catches up with it as it's popularity rises. Which makes making such recomendations "A Mug's Game" which catches up to you.

But it runs deeper than that, sometimes those who think they are "special" and can design "a better mouse trap" eventually realise just what is involved and they in effect walk away from it. The classic example is those who think security "segregation can be done by software" and maybe a little by hardware such as an MMU... Then the likes of "RowHammer" come along and their heavily fortified Castle standing like a "cubist abstraction" in sunlight, is found to have foundations not on rock but sand and it sinks under it's own weight. They sometimes eventually learn what "Real Segregation" is about, then what is needed by the way of heavily mandated choke point communications is required. Others start from that point then find the issues of not having "Real point-to-point communications" that is what happens when your Shannon Channel is leaky, or worse shared and how in consumer devices "Real Segregation is not an option" if you want to get the positions of various end points correct. But even that is insufficient as "End Run Attacks" happen in the tangible physical world just as much as they do in the intangible information world.

If @Nick P is listening in he can point you in the direction of OS's that are more secure and have been shown to be by various mathmatical proofs etc. And yes such OS's tend to have very small market share as well, because such OS's tend to come at a price... In fact quite a significant price if they came from those in the MIC.

But as they say "That's not the half of it by a long way". Because they are not "the" security solution but a quite small "part of" a security solution.

As far as the big bucks go, then there is the price of the physically secure computer hardware. Then the SCIF to "energy gap" the computer to go ontop of that. But it does not stop there, you then have to start on physical security... So then there is the cost of the strong room to protect the SCIF. But strong rooms need guarding not just at the entrance but at all times, and even guards can be coerced so you need several on the pay roll, background checks etc etc. Even then people still walk out the front door with all your secrets in a Rubik's Cube.

In Short real security costs big if you don't want to take chances, and even then it can be defeated. It's why in "physical security" they do play dice with probability and leverage obscurity where ever they can. Because it reduces both the number of people "In the Know" and likewise the time that those people know the information to very short intervals thus reducing an attackers "window of opportunity".

[1] There is a difference between "generally" and "specifically" when it comes to security, and this applies to OS's and applications as well. Basically there are four types of criminal and two types of target. That is the majority of the criminals do not pick "specific targets"[2] they go for targets that fit a pattern, so your chance of being attacked is based on probabilities.

[2] If you are a "Person of Interest" it does not matter what "consumer OS" you use they will have ways to break in to it even if it requires what once used to be called "front pannel access". Thus if you are more than just of "interest", you will have to up your game beyond air/energy gapps to actuall physical security in depth, designed not to stop them but delay them enough for a security team to deal with them.

borgAugust 22, 2019 9:31 AM

There's no indication that this vulnerability was ever used in the wild

I wish people would stop saying this, because it's meaningless -- or at least, way less meaningful than people seem to think.

Evidence of absence versus absence of evidence, etc. Daniel Kahneman might have something to say about this.

ChrisAugust 22, 2019 6:21 PM

Kindof intresting, how about securing the cut and paste buffer in windows, i think its related to user32 seems impossible
Not using windows in long time so not at all intrested in howto do it just a peculiar thing that

Why_did_we_do_that_again?August 30, 2019 2:01 PM

Can we please "re-up" that incident for the masses as yet another reason to quit trusting the Microsoft corportion and it's business practices and customs by default?

Sincerely,

Why_did_we_do_that_again?


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.