As you can see, we’re an unprivileged local user who’s not allowed to monkey with things under C:WindowsSystem32. [credit:
Jim Salter ]
On Tuesday, Tavis Ormandy of Google’s Project Zero released an exploit kit called
ctftool, which uses and abuses Microsoft’s Text Services Framework in ways that can effectively get anyone
system that is—on any unpatched Windows 10 system they’re able to log in to. The patches for this vulnerability—along with several other serious issues—went out in this week’s Patch Tuesday update.
We independently verified Ormandy’s proof-of-concept, and it’s precisely what it says on the tin: follow the directions and you get an
nt authoritysystem privileged command prompt a few seconds later. We also independently verified that applying KB4512508 closed the vulnerability. After applying the August security updates, the exploit no longer works.
The full writeup of Ormandy’s findings is fascinating and incredibly technically detailed. The TL;DR version is that Microsoft’s Text Services Framework, which is used to provide multilingual support and has been in place since Windows XP, includes a library called
MSCTF.DLL. (There’s no clear documentation demonstrating what Microsoft intended CTF to stand for, but with the release of this tool, it might as well stand for Capture The Flag.)