As if we needed further proof that the Internet is truly the Wild Wild West, Microsoft has just owned up to the latest cybersecurity No-No: a bug that has been stalking Windows users for 20 years.
I repeat: TWENTY YEARS!!!.
The vulnerability is present in ALL versions of Microsoft Windows and allows non-authorized users to run code that will give them full access to your machine. In other words, it allows hackers in.
That bug had been living within an obscure legacy Microsoft protocol called CTF for two decades. CTF is part of the Windows’ Text Services Framework, meaning computers running Windows connect to CTF to controls things like keyboard layout and text input methods.
Tavis Ormandy, a researcher with Google Project Zero—a group of cybersecurity experts tasked with finding secret hackable bugs that are exploited by state-sponsored hackers and criminals—first found the flaw.
In May, he reported his findings to Microsoft. After the company did not address the issue after 90 days, Ormandy released details to the public late last week.
“These are the kind of hidden attack surfaces where bugs last for years,” Ormandy wrote in a blog post. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly 20 years, and nobody noticed.
This design flaw allows hackers to compromise an application, which can then launch new programs to take over. And if the first application was running with elevated privileges, the next program will also open with authorized privileges that were never granted.
In practice, that means a bad actor could take over your Notes application and then open any other program that runs CTF, including your Internet browser.
To ensure your machine running Windows is safe, download the latest security updates from Microsoft. Microsoft released the patch for this vulnerability – albeit 20 years too late. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
Be sure to install the latest security patch ASAP. Windows 10 has auto updates enabled by default, so you may not have to do anything. If you have auto updates turned off, though, switch them back on and download the patch.
