Windows 10 19H1, the next major iteration of the Windows operating system, will include a series of fixes for what Microsoft has called an "unpublished bug class" that was discovered by a Google security engineer.
The fixes not only fix the Windows kernel code to prevent potential attacks, but they also mark the end of a nearly two-year collaboration between the Google and Microsoft security teams, a rare event in itself .
What is this "new bug class"
It all started in 2017 when James Forshaw, a security researcher with Project Zero's elite bug search team for Google, discovered a new way to attack Windows systems.
Froshaw discovered that a malicious application running on a Windows system with normal permissions (user mode) could access a local driver and Windows I / O Manager (a subsystem facilitating communications between drivers and the Windows kernel) to execute malicious commands with the highest Windows privileges (kernel mode).
What Forshaw discovered is a new way to execute a privilege escalation attack that had not been previously documented.
But despite the discovery of what security researchers later called "bugs," Forshaw finally hit a wall when he could not reproduce a successful attack.
The reason was that Forshaw did not have a deep knowledge of how the Windows I / O Manager subsystem works, and how it could associate the driver's "initiator" functions with the "receiver" functions of the kernel. for a complete attack. [see image below].
Collaboration was essential
To solve this problem, Forshaw contacted the only ones to be able to help: the Microsoft team of engineers.
"This led to meetings with different teams at [the] Bluehat 2017 [security conference] in Redmond where a plan was formed for Microsoft to use its access to source code to discover the extent of this class of bugs in the Windows kernel and driver code base, "Forshaw said.
Microsoft took Forshaw's research back to where he left off and spotted what was vulnerable and what needed to be corrected.
During his research, the Microsoft team found that all versions of Windows released since Windows XP were vulnerable to Forshaw's EoP attack routine.
Steven Hunter, the engineer responsible for this charge at Microsoft, said the Windows code involved a total of 11 potential initiators and 16 potential receivers that could be used for attack purposes.
The good news: None of these 11 initiators and 16 receiver functions could be interconnected for an attack that abuses one of the default drivers provided with Windows installations.
The bad news: custom drivers can facilitate attacks that the Windows team has not been able to study during its research.
For this reason, some fixes will be delivered with the next version of Windows 10, which is expected to be released in a few weeks, to prevent any potential attacks.
"Most of these patches are about to be released in Windows 10 19H1, with some delays for other compatibility tests and / or because the component in which they exist is obsolete and disabled by default "said Hunter. "We invite all kernel driver developers to review their code to ensure proper processing of IRP requests and the defensive use of open file APIs."
More technical reports on this new EoP attack method are available in the Forshaw and Hunter reports.
The cooperation between Microsoft Security Response Center (MSRC) and Google's Project Zero team has also surprised many members of the infosec community because at one point these two teams had a little quarrel and were known to publicly disclose the uncorrected defects of each one's products.
Microsoft and Project Zero employees may have occasional revelations, but this is the type of collaboration that is happening all the time, for the benefit of all. pic.twitter.com/HmGQUX1OfF
– Ryan Naraine (@ryanaraine) March 14, 2019
Great collaboration between @tiraniddo And @_strohu looking for a class of Windows kernel drivers. This is what happens when you associate a logical error search expert, an MSRC security engineer, and a powerful static analysis tool, such as Semmle 🙂 https://t.co/VWVCw5mTml
– Matt Miller (@epakskape) March 14, 2019
This type of collaboration occurs at many levels between MS and its competitors. Those who are motivated by employees are generally very positive. 🙂
– Rey Bango (@reybango) March 14, 2019
More vulnerability reports: