
Windows 10 19H1, the next major iteration of the Windows operating system, will include a series of fixes for what Microsoft has called a "novel bug class," and which has been discovered by a Google security engineer.
Security
The patches do not only fix some Windows kernel code to prevent potential attacks, but they also mark the end of an almost two-year collaboration between the Google and Microsoft security teams, a rare event in itself.
What is this "novel bug class"
All of this began back in 2017 when James Forshaw, a security researcher part of Google's Project Zero elite bug hunting team found a new way to attack Windows systems.
Froshaw discovered that a malicious app running on a Windows system with normal permissions (user mode), could tap into a local driver and Windows I/O Manager (a subsystem that facilitates communications between drivers and the Windows kernel) to run malicious commands with the highest Windows privileges (kernel mode).
What Forshaw discovered was a novel way to execute an elevation of privilege (EoP) attack that hadn't been documented before.
But despite finding some what security researchers later called "neat" bugs, Forshaw eventually hit a wall when he couldn't reproduce a successful attack.
The reason was that Forshaw didn't have intimate knowledge of how the Windows I/O Manager subsystem worked, and how he could pair up driver "initiator" functions and kernel "receiver" functions for a complete attack [see image below].
The collaboration was essential
To go around this issue, Forshaw contacted the only ones who could help --Microsoft's team of engineers.
"This led to meetings with various teams at [the] Bluehat 2017 [security conference] in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base," Forshaw said.
Microsoft picked up Forshaw's research where he left off, and tracked down what was vulnerable and what needed to be patched.
During its research, the Microsoft team found that all Windows versions after released since Windows XP were vulnerable to Forshaw's EoP attack routine.
Steven Hunter, the Microsoft engineer who led this charge, said that the Windows code features a total of 11 potential initiators and 16 potential receivers that could be abused for attacks.
The good news --none of these 11 initiators and 16 receiver functions could be interconnect for an attack that abuses one of the default drivers that ship with Windows installations.
The bad news --custom drivers may facilitate attacks that the Windows team was not able to investigate during its research.
For this reason, some patches will ship with the next Windows 10 version, scheduled for release in a few weeks, to prevent any potential attacks.
"Most of these fixes are on track for release in Windows 10 19H1, with a few held back for further compatibility testing and/or because the component they exist in is deprecated and disabled by default," Hunter said. "We urge all kernel driver developers to review their code to ensure correct processing of IRP requests and defensive use of the file open APIs."
More technical details about this novel EoP attack method are available in Forshaw and Hunter's reports.
The cooperation between the Microsoft Security Response Center (MSRC) and Google's Project Zero team also surprised many in the infosec community because at one point in the past, these two teams had a small feud and were known to publicly disclose unpatched flaws in each other's products.
The Microsoft and Project Zero folks may have the occasional disclosure beef, but this is the kind of collaboration that happens all the time, for the greater good. pic.twitter.com/HmGQUX1OfF
— Ryan Naraine (@ryanaraine) March 14, 2019
Awesome collaboration between @tiraniddo & @_strohu on hunting for a class of Windows kernel driver vulns. This is what happens when you combine a logic-flaw-finding expert, an MSRC security engineer, and a powerful static analysis tool like Semmle :) https://t.co/VWVCw5mTml
— Matt Miller (@epakskape) March 14, 2019
This type of collab happens at so many levels between MS & its competitors. Those driven by the avg employees are generally really positive. :)
— Rey Bango (@reybango) March 14, 2019
In Memoriam: All the consumer products Microsoft has killed off
More vulnerability reports:
- Apple, Google, GoDaddy misissued TLS certificates with weak serial numbers
- Microsoft March Patch Tuesday comes with fixes for two Windows zero-days
- New BitLocker attack puts laptops storing sensitive data at risk
- WDS bug lets hackers hijack Windows Servers via malformed TFTP packets
- Vulnerability in Swiss e-voting system could have led to vote alterations
- Proof-of-concept code published for Windows 7 zero-day
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic