ALERT: Keep Windows updated; IA monitoring unpatched Windows flaws
The information below was sent to U-M IT staff groups via email on August 15, 2019. It is intended for U-M IT staff who are responsible for university computers running Windows. Any Windows user may be interested.
Technical details of a set of 20-year-old critical design flaws in all versions of Windows were disclosed by Google’s Project Zero Team on August 13. While Microsoft says that some of the issues related to the flaws were resolved in updates released in May (IA Alert: Update older Windows versions for vulnerability ASAP) and on August 13 (IA Alert: Update Windows ASAP for critical vulnerabilities), updates are not yet available to address the others. Information Assurance (IA) is monitoring the situation and will provide updates and guidance as further information becomes available. In the meantime, keep Windows updated and continue to follow IT security best practices to reduce risk.
Flaws in all versions of Windows could allow an attacker to read sensitive text from any window of other applications, including passwords out of dialog boxes and gain SYSTEM privileges. These design flaws have existed for about 20 years. Microsoft has released updates to address some—but not all—of the flaws.
All versions of Windows.
If you have not already done so, apply the May and August Windows updates for your version(s) of Windows as soon as possible after appropriate testing. The threat posed by CVE-2019-1162 justifies an accelerated timeline for patching that is faster than the timelines specified in Vulnerability Management (DS-21).
- May update (Windows XP and 7; Windows Server 2003 and 2008)
- August 13 update (Windows 7, 8 and 9; Windows Server 2008, 2012, 2016, and 2019)
Watch for additional Microsoft upgrade announcements related to the identified flaws and be prepared to apply the updates as soon as possible after appropriate testing.
The Google Project Zero Team researcher who disclosed the flaws published a proof-of-concept video demonstrating how the flaws can be exploited to gain SYSTEM privileges in Windows 10. He also published a collection of tools and code for exploring the Windows MSCTF design flaws that he found. The availability of this information increases the risk of malicious exploitation of the MSCTF design flaws.
The flaws affect the communication method between MSCTF clients and servers. MSCTF is a module in the Windows Text Services Framework (TSF) that manages things like input methods, keyboard layouts, and text processing. The flaws could allow any user or application to read and write data to higher privileged applications.
How We Protect U-M
Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community. IA will continue to monitor information about this particular vulnerability and will provide additional guidance as further information is available.
MiWorkspace staff routinely apply Windows updates as soon as possible after appropriate testing. The May update has been applied, and the August update is being applied August 15.
Information for Users
MiWorkspace is applying the critical August Windows updates today (August 15). Other university-managed machines will be updated as soon as possible. If you have a personal computer running Windows, and it is set to receive automatic updates, your computer will be updated for you. We recommend that you set Windows to update automatically.
While updates are not yet available to protect against all the announced design flaws in Windows, these flaws make it more important than ever to keep up with routine IT security best practices:
- Windows CTF Flaws Enable Attackers to Fully Compromise Systems (Bleeping Computer, 8/14/19)
- Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows (The Hacker News, 8/13/19)
- Vulnerability in Microsoft CTF protocol goes back to Windows XP (ZDNet, 8/13/19)
- Google hacker discloses 20-year-old Windows flaw still unpatched (Security Affairs, 8/13/19)
- CVE-2019-1162 (8/13/19)