Google has made a “moderate” security issue public in various versions of Windows to warn users. According to Google, Microsoft only half-heartedly fixed the vulnerability in the August Patchday published yesterday.
The Google Zero Day team criticizes that it is only an incomplete correction that Microsoft is now offering its users with yesterday’s patchday updates. Microsoft was informed in May about the vulnerability that enables a potential attacker to circumvent network authentication using applications. The vulnerability itself is to be found in an older Windows AppContainer. Apps that Microsoft delivers via the store are not affected, programs that are loaded from other sources can very well have the security vulnerability.
According to Google, a local attacker can theoretically exploit the vulnerability and access localhost services via the back door in firewall APIs and then look for a system service there that can be bypassed. There is a Proof-of-Concept (PoC) for the vulnerability, which shows how quickly increased privileges can be achieved with it – an attacker then basically has free space on the victim’s PC.
Google Discovered And Reported Problems In May
Google reported the vulnerability and gave Microsoft the usual 90 days to fix the vulnerability. A further grace period was also left so that Microsoft could introduce a fix on patch Tuesday in August.
As “CVE-2020-1509” the problem was now publicly mentioned in the release notes yesterday. According to Google, it doesn’t completely solve the problem. The security team has therefore decided to make the warning about the vulnerability and the proof-of-concept public. If Microsoft wants to react in an exemplary manner, a patchday lookup as quickly as possible, which then properly closes the security gap, is required. Microsoft does not consider the vulnerability to be problematic and only wrote “Vulnerability is less likely”.
- Addresses an issue in Universal Windows Platform (UWP) applications that allow single sign-on authentication when an application does not have Enterprise Authentication functionality. With the release of CVE-2020-1509, UWP applications may prompt the user for credentials.
According to Microsoft’s security advisory, the problem affects numerous Windows versions, including Windows Server 2012, 2016, 2019, Windows RT 8.1, 8.1, and all Windows 10 versions up to the current version 2004.