A few days ago, Google's Project Zero team publicly exposed a security flaw in Microsoft Edge because Microsoft failed to fix it in the allotted time. Although the move received slight backlash, it was also appreciated by many - some of them being Neowin readers - who praised the initiative as a means to set things in motion.
Google's Project Zero team of security researchers is tasked with finding bugs in software products developed by the firm itself as well as those from other tech giants. On successfully finding a flaw, the researchers report it to the relevant company and provide them with 90 days to fix the issue before it is made public.
Over the past couple of years, the initiative has disclosed several vulnerabilities in the same manner. Now, Project Zero has exposed a "high" severity security flaw in Windows 10.
According to the report in the Project Zero directory, the issue has been definitively tested on Windows 10 version 1709.
The flaw in question relates to the SvcMoveFileInheritSecurity remote procedure call (RPC), which if exploited, can lead to an arbitrary file being assigned an arbitrary security descriptor, that can potentially lead to elevation of privilege.
The remote procedure call makes use of the MoveFileEx function call which moves a file to a new destination. The problem occurs when the RPC moves a hardlinked file to a new directory which has inheritable access control entries (ACEs). Now even if the hardlinked file doesn't allow deletion, it can be allowed based on the permissions provided by the new parent directory that it has been moved to.
This essentially means that even if the file is read-only, if the server calls the SetNamedSecurityInfo on the parent directory, it will be able to assign it an arbitrary security descriptor, which would potentially allow other users on the network to modify it.
The security researcher who discovered this flaw has also attached a proof-of-concept code in C++ which creates a text file in the Windows folder, and abuses the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor to allow access to everyone.
The security researcher went on to say that:
Some additional notes about this issue. Firstly based on the fix for issue 1427 this only affects Windows 10, it does not affect any earlier versions of Windows such as 7 or 8.1. However I've not verified that to be the case but there's no reason to believe it's incorrect. MS consider this to be an 'Important' issue, but crucially not a 'Critical' issue. This is because this issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However in order to execute the exploit you'd have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place.
According to the details presented in the report, the flaw - labeled "1428" - was disclosed as a "high" severity security issue to Microsoft on November 10, 2017, along with a similar security issue, dubbed 1427. The standard 90-day deadline was provided to resolve both the problems. When the issue proved difficult to fix, Microsoft asked for an extension in the deadline and released the supposed fix last week on Patch Tuesday.
However, contrary to what Microsoft may have believed, the patch fixed issue 1427, but detailed analysis from the Google researcher proves that 1428 - detailed above - still hasn't been resolved. As such, Google has informed the Microsoft Security Response Center (MSRC) that it is making the flaw visible to the public. It will be interesting to see if this disclosure accelerates the fixing of the bug given that it is now public knowledge accessible to everyone, even those with malicious intent.
Google has clarified to Neowin that it's just a coincidence that the two flaws have been publicly disclosed in such close proximity in terms of time, simply because the standard 90-day deadlines and 14-day grace periods aligned as such.
We have reached out to Microsoft for clarification regarding the security flaw, and will provide an update if the company responds.
Update: Microsoft has responded to Neowin's request for comment regarding the expected time frame in which it plans to resolve the issue, with a brief statement saying that:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.