Google revealed on Tuesday that a critical security flaw has affected all versions of Windows for the past 20 years. Present since Windows XP, the vulnerability allows low-privileged applications to send commands to programs with administrator privileges. The breach, which Microsoft has not yet repaired, was discovered by security expert Tavis Ormandy, a member of Project Zero, a Google team responsible for detecting vulnerabilities in technology products.
READ: 4 years of Windows 10: see seven system curiosities
According to Ormandy, the flaw in question lies in the operation of a small security module (MS) known as MSCTF. Located in the Windows kernel or core, CTF is part of the Text Services Framework (TSF), which manages input methods, keyboard layouts, word processing, and other similar issues. When exploited, the vulnerability could allow an attacker to gain remote machine access.
Security flaw is present from Windows XP to Windows 10 Photo: Isabela Giantomaso / TechTudo
Want to buy a cell phone, TV and other discounted products? Meet the Compare TechTudo
When the user logs in to Windows, the operating system starts a process called ctfmon, which operates continuously in the background and monitors active windows, supporting functions such as keyboard layout. By allowing secondary programs to read and write data to higher-privileged applications, however, CTF opens the way for hackers to initiate remote computer attacks.
Taking advantage of the lack of access controls or any kind of authentication, attackers can perform actions restricted to users and software with administrator privileges. According to Ormandy, this includes reading and writing text from any window, falsifying IDs and circumventing sandbox security mechanisms.
The survey revealed that it was possible to cross sessions and breach Windows security limits for nearly 20 years, and no one noticed, said Ormandy in a blog post on Google Project Zero. The expert also pointed out that CTF has minor memory corruption that provides critical security flaws, such as viewing everything typed on the computer. This would allow, for example, to discover all passwords entered on the vulnerable PC.
On Forbes magazine's website, Microsoft said it resolved CVE-2019-1162 issues in August. The vulnerability cited, however, is only one of those discovered by Google. The Windows maker said the other flaws require more time for analysis and repair, and solutions should be released according to the monthly security updates for Microsoft products.
I have Windows 10, is it worth going back to Windows 7? Give your opinion on the TechTudo Forum.
How to choose a good antivirus