High-severity Windows security flaw enables attackers to hijack any application

Bug affects all versions of Microsoft Windows, back from Windows XP to Windows 10

A security researcher has revealed details of a high-severity security flaw in the Microsoft CTextFramework (CTF) protocol that leaves Windows wide open to hijacking.

The vulnerability affects all versions of Microsoft Windows, back from Windows XP to Windows 10, according to Tavis Ormandy, the security researcher from Google's Project Zero Team, who first discovered the flaw in the CTF protocol.

The insecure CTF protocol could also enable an attacker or malware (that have already compromised a machine) to escape sandboxes and get admin rights on that machine.

Indexed as CVE-2019-1162, the flaw has now been patched by Microsoft in its August Patch Tuesday release of security fixes.

CTF dates back to Windows XP era and is part of the Windows Text Services Framework (TSF) - the system that is used to manage the text displayed inside Windows and Windows applications.

CTF is used in all Windows operating system versions from Windows XP to latest Windows 10.

However, this protocol is insecure due to multiple vulnerabilities, which can be exploited via applications that interact with the protocol to handle text on screen.

When a user starts an app on a Windows machine, the operating system also starts a CTF client for that app. This CTF client gets instructions from a CTF server about the keyboard input methods as well as the operating system system language.

If the language for the operating system input method is changed, all CTF clients are notified about the new change, which is then reflected in each Windows app accordingly.

Ormandy found that the communications between CTF servers and CTF clients are not properly secured.

He also developed a proof-of-concept tool that exploited CTF, via Notepad, and launched a command-line shell with System-level privileges.

"The obvious attack is an unprivileged user injecting commands into an Administrator's console session, or reading passwords as users log in. Even sandboxed AppContainer processes can perform the same attack," Ormandy explained in a blog post.

"These are the kind of hidden attack surfaces where bugs last for years," Ormandy noted. "It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."

The elevation-of-privilege holes in Windows are not rare and the company patches dozens of such bugs each year.

In its July 2019 Patch Tuesday update, the company addressed two actively exploited zero-days and five publicly disclosed vulnerabilities.

Earlier in April, a total of 74 vulnerabilities were fixed by Microsoft in its Patch Tuesday update, of which 15 vulnerabilities were labelled as 'critical'.

Last year, a survey by security firm Avecto suggested that the number of security flaws affecting Microsoft software had more than doubled in recent years, growing by 111 per cent since 2013.