serious bug found in WIndows that's been undetected for 20 years!

Marzipan · Aug 15, 2019

Undocumented Windows Protocol Enabled Full System Compromise For 20 Years

Google's Tavis Ormandy found an almost 20-year-old design flaw in the undocumented Windows CTF subsystem that could have allowed attackers to fully compromise systems.

www.tomshardware.com

an unknown protocol is the cause of the weak spot.

SugarJ · Aug 15, 2019

And it was patched on the latest update Tuesday.

Marzipan · Aug 15, 2019

SugarJ said:
And it was patched on the latest update Tuesday.

...partially patched.

Sagath · Aug 15, 2019

Mr. Friendly said:
...partially patched.

While I appreciate your ability to read your own cut/paste link you've posted, and your flair for drama...of using...dots...

We independently verified Ormandy's proof-of-concept, and it's precisely what it says on the tin: follow the directions and you get an nt authority\system privileged command prompt a few seconds later. We also independently verified that applying KB4512508 closed the vulnerability. After applying the August security updates, the exploit no longer works.

So although it might be 'partial' patch, a little research would show that the proof of concept exploit hole has been closed.

Of course...this could leave a window for other...exploits...to be found...However...I'm not going to go down a rabbit hole of ...'what ifs'...Although I do like using dots...

danmitch1 · Aug 16, 2019

dot dot dot...
Edit:

Izerous · Aug 16, 2019

It will be interesting to see what else comes out of this. There have been a slew higher profile security vulnerabilities found lately even some in steam (which said they don't care given the situation). Even if they did fully patch it i'd image there will be a large slew of people looking into things like this to try an expose other issues.

sswilson · Aug 16, 2019

I didn't read too deeply into it, but apparently the patch is breaking some old VB code.

Enduser · Aug 16, 2019

Why it’s called Windows

for one closes and other one opens.........

OS It’s a tool to monitor

Entz · Aug 17, 2019

sswilson said:
I didn't read too deeply into it, but apparently the patch is breaking some old VB code.

Do you have a link with information on that? At work I still support an old VB6 app released in early 2000

SugarJ · Aug 17, 2019

Here's the original post from the Google Project Zero engineer that found it. https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

Search

serious bug found in WIndows that's been undetected for 20 years!

Marzipan

Well-known member

Undocumented Windows Protocol Enabled Full System Compromise For 20 Years

SugarJ

Moderator

Marzipan

Well-known member

Sagath

Moderator

danmitch1

Well-known member

Izerous

Well-known member

sswilson

Moderator

Enduser

Guest

Entz

Well-known member

SugarJ

Moderator

Latest posts

About Us

Online statistics

Follow Us On Social Media

Contact