After being alerted to a "medium" security flaw in
Windows 10 by Google's Project Zero team, Microsoft took a swing and a miss at fixing it through yesterday's cumulative Patch Tuesday roll out. As per Project Zero's policy, the vulnerability has now been disclosed to the public, as Microsoft failed to address it within the usual
90-day disclosure period.
For anyone who is not familiar, the
Project Zero team researches security issues, particularly zero-day bugs, and passes on its findings to software companies. Those companies then have 90 days to plug up the security hole before Project Zero discloses its findings. Software outfits like
Microsoft can request an extension, but whether one is granted or not is decided on a case by case basis.
In this case, Project Zero made Microsoft aware of an authentication bug in Windows 10. Project Zero breaks down the
technical details in its disclosure, but summed up, a remote attacker with Windows credentials on a network could leverage a flaw in the Windows Local Security Authority Subsystem Service (LSASS) to elevate their privileges.
"LSASS doesn’t correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials," the disclosure states.
This was intended to be addressed with
CVE-2020-1509, which was part of yesterday's Patch Tuesday update. According to Microsoft, which labels the vulnerability as "important," this update "addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests." Case closed, right?
Not so fast. After reviewing the fix, Project Zero determined that the patch did not completely fix the issue.
"The issue is the DsCrackSpn2 call which was highlighted as incorrect has not been fixed. This allows you to specify an SPN which will both satisfy the proxy check and SPN check in CIFS etc. This isn't as general as the original bug as the system needs to have a configured proxy, however in enterprise environments that's likely a given and where this issue is the most serious," Project Zero explains.
In line with Project's Zero's policy, Microsoft was not granted an extension after pushing out an "incomplete fix." The bug is now public knowledge, complete with a proof-of-concept. Hopefully this lights a fire under Microsoft to fix the issue for good.