Microsoft's software has been under a lot of scrutiny from security researchers lately with Google's Project Zero team publicly disclosing bugs in Microsoft Edge and Windows 10 last month. Now, it appears that researchers from the University of Padua in Italy have discovered a design weakness in Control Flow Guard (CFG), which compromises the security of Windows 8.1 and Windows 10.
Microsoft's CFG was first released in Windows 8.1 Update 3 and has since been used to compile the kernel of the OS, even in Windows 10. The company describes it as a "highly-optimized platform security feature that was created to combat memory corruption vulnerabilities". CFG prevents indirect calls and jumps in code, so attackers can't execute the code in arbitrary locations.
However, security researchers at the University of Padua have discovered that in an effort to improve performance and make CFG backward-compatible, Microsoft has made some design flaws. Andrea Biondo, one of the researchers at the university, states that:
The [control flow] restriction is precise only when the allowed targets are aligned to 16 bytes. If they are not, then there is a 16-byte imprecision around the target [...] By combining the presence of unaligned targets in common libraries with the predictability of the layout of functions generated by the compiler, we can bypass CFG.
The security researchers will detail their exploit at the Black Hat Asia Conference this month, where they will also utilize a proof-of-concept code to bypass CFG using Microsoft Edge in Windows 10 (64-bit), to demonstrate how the flaw can be utilized in real-world scenarios. This exploit has been dubbed as Back to the Epilogue (BATE) by the Italian researchers.
According to the report, the security flaw leaves over 500 million computers at risk, and is even more dangerous because BATE isn't application-specific, and can be exploited easily if the victim process loads certain common libraries. The security researchers report that they have informed Microsoft of the problem, and that the company plans to fix it by the Windows 10 Redstone 4 update, which is coming soon.
Speaking with Neowin, Microsoft has recommended that customers use Windows 10 as the company investigates the security flaw, saying that:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 for the best protection.
Given the huge number of computers at risk from the design flaw in CFG, Microsoft will have to work hard to ensure that it rolls out the fix in a timely manner.
Source: Dark Reading