Windows logo

A Google security engineer says Microsoft has failed to properly patch a security flaw affecting Windows 10 and Windows Server 2016 distributions.

The flaw affects the Windows Storage Services, a core OS service that manages file transfers and storage operations. More precisely, the vulnerability affects the "SvcMoveFileInheritSecurity" function that Windows calls every time it wants to move a file.

Flaw lets attackers gain admin rights with ease

Back in November last year, James Forshaw, a software engineer with Google's Project Zero security team, discovered two methods of leveraging this function to elevate a user's privileges on a Windows computer.

The vulnerability —tracked as CVE-2018-0826— allows an attacker to copy or overwrite files to locations it normally shouldn't, such as the \Windows folder.

Since files located in that and other folders are sometimes automatically executed by various trusted applications and even the OS itself, this bug is a good and simple way of gaining admin-level privileges on a Windows system.

Microsoft patches only one of two exploitation methods

But Forshaw says he specifically filed two distinctive bug reports with Microsoft so its engineers would understand there are two ways of exploiting this vulnerability.

Despite his efforts, Forshaw was unpleasantly surprised last week when Microsoft only patched the first method, but not the second.

Forshaw argues that Windows users are still vulnerable to CVE-2018-0826, despite users applying the proper patches as part of the February 2018 Patch Tuesday updates.

The good news is that older Windows versions such as 8.1 and earlier are not affected and that the bug cannot be exploited remotely. Forshaw explains:

This issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However in order to execute the exploit you'd have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place.

In other words, what Forshaw is saying is that despite this vulnerability requiring an attacker to have already compromised a Windows machine, the exploitation routine is so trivial that the vulnerability bound to be exploited by real-world malware to gain admin rights when the attacker ever needs higher privileges to perform more intrusive operations, such as gaining boot persistence.

Related Articles:

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability

Windows 10 Insider Build 18298 Brings New Features and Improvements

Windows 10 Testing New Conversational Date Format in File Explorer

Windows Defender Can Detect Accessibility Tool Backdoors

Edge Browser Can Now Sign Into Microsoft Accounts With FIDO2 Security Keys