Google Finds 20-Year-Old Bug in Windows


Microsoft hasn’t patched the bug yet.

Bugs are part of software development processes, as Linus Torvalds once said. No software is immune to bugs, and not all bugs are benign. Some bugs can also become security vulnerabilities. Researchers at Google’s Project Zero Team have disclosed one such bug in Microsoft’s Windows operating system. 

“The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application,” reported the Hacker News.

MSCTF is core part of the Windows Text Services Framework that manages things like input methods, keyboard layouts, text processing, etc.

The Hacker News wrote that the weakness in CTF protocol could allow attackers to easily bypass User Interface Privilege Isolation (UIPI) and take control of the UAC consent dialog, send commands to the administrator's console session, or escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

As per the Project Zero Day policy, Google researchers informed Microsoft of the bug giving them 90 days to fix the problem. Microsoft hasn’t yet patched the bug.


Related content

comments powered by Disqus