20 Year Old Bug in Microsoft Code

Walden Systems Geeks Corner News 20 Year Old Bug in Microsoft Code Rutherford NJ New Jersey NYC New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

A 20 year old bug in all versions of Microsoft Windows could allow a non-privileged user to run code that will give them full SYSTEM privileges on a target machine. The bug is notable because of where it resides: In a legacy, omnipresent protocol named Microsoft CTF. CTF is problematic because it communicates with other Windows services without proper authentication. As such, it also can be used as a bridge between different windows on a desktop.

The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service. In cross-application communication, an authentication mechanism would ordinarily ensure that privileged processes are isolated from unprivileged processes. However, due to a lack of authentication in CTC, an unprivileged program running in one window can use it to connect to a high-privileged program in another, spawning high-privileged processes. From a technical perspective, the flaw is being exploited via the Input Method Editor (IME), according to Todd Schell, senior product manager of security for Ivanti.


Since there is no access control in CTF, a hacker could connect to another user's active session and take over any application, or wait for an administrator to login and compromise their session. Possible attacks include sending commands to an elevated command window, reading passwords out of dialogs or escaping app container sandboxes by sending data to an uncontained app. It could also be used by malware if chained with another vulnerability.

Since there is no access control in CTF, a hacker could connect to another user's active session and take over any application, or wait for an administrator to login and compromise their session. Possible attacks include sending commands to an elevated command window, reading passwords out of dialogs or escaping app container sandboxes by sending data to an uncontained app. It could also be used by malware if chained with another vulnerability.

CTF is a built-in Windows feature that has been around for about 20 years on every Windows system since XP, which would cover almost every Windows system used today. Microsoft patched the bug as part of its August Patch Tuesday update. Also, this can be mitigated by simply turning off the ctfmon service.