cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Champion

Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

Anyone read this one yet and thought about the implications?

https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html

 

"A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.

The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.

MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition."

 

This should keep many rather busy sorting this one out.

 

Regards

 

Caute_cautim

 

3 Replies
Newcomer II

Re: Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

Suppose 60% of vulnerabilities spend a fraction of their lifecycle as a zero day exploit. What are the odds we will start finding evidence of historical exploits for this vulnerability.
Best Wishes,

Don

Don Turnblade, MBA, MSc
"Protecting good people from being robbed with a computer."
PCI ISA, SSBB, CISM/CISA, C31000/AT31000, CISSP, PCIP



Contributor II

Re: Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

FWIW, the article notes that Microsoft has patched it in this month's (August's?) patch set.

 

Hopefully we're good.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow
Viewer II

Re: Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

I wonder how we could find evidence of usage of this kind of vulnerability, how many applications have stopped working the way they did since the update?

 

I'm minded of NSAKEY other built in doorways that are not even backdoors, known unknowns

 

Dave

DaveE 422537