As a component of the 120 Patch Tuesday security updates deployed on August 11, Microsoft has included a solution for a Windows 10 authentication vulnerability that affects all commercial versions of the operating system. The vulnerability of the local security authority subsystem service to lift privileges can allow a remote attacker to bypass commercial authentication of the network.
The challenge is that, as James Forshaw, a Google Project Zero researcher, has revealed, the solution doesn’t solve it at all.
This is undoubtedly a type of security stench for Microsoft and Google called it: “Any incomplete correction is added to tracking disorders as additional data and given more time for resolution,” Forshaw said in his disclosure.
The vulnerability is not easy to exploit and, as such, is classified only as “important” rather than “critical”. However, you have the ability to have an effect on Windows 10 users on business because of the way the old Windows app container manages access to commercial authentication by connecting singles.
The remote attacker must already have the Windows account credentials on the target network. However, a malicious authentication request to the Windows Local Security Authority (LSASS) subsystem service can result in the accumulation of privileges for that user. This is, a non-critical evaluation component, a major challenge because LSASS is a key component of connecting to a Windows PC authentication procedure controlled through Active Directory.
The Google Project Zero team does a wonderful job of discovering zero-day vulnerabilities, but has a fairly strict 90-day disclosure rule. If the affected vendor does not have the constant vulnerability within 90 days, Project Zero becomes public.
There were exceptions, with additional time allowed, specifically for complex factors. CVE-2020-1509, apparently, is not one of them. It initially reported to Microsoft on May 5 and had already been granted an extension on July 30. Disclosure includes proof of the concept, which makes this flaw in the additional right type a factor of security for affected Windows 10 users.
Of course, it’s hardly surprising that the decision not to extend was made as the disclosure had already been published, along with that proof of concept, when it was thought that the Patch Tuesday fix had, well, fixed it. This cat was well and truly out of the bag by the time it was realized the fix had failed, at least in part.
The Microsoft Security Notice indicates that there is no mitigation or solution for this vulnerability. At this point, there is also no indication of when a complete solution will be available. I contacted Microsoft to ask this and will update this article if I get an answer.
I have been a generation journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994. Three-time BT winner
I have been an experienced journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994. A three-time winner of the BT Security Journalist of the Year Award (2006, 2008, 2010) he was also fortunate to be named BT’s Tech Journalist of the Year in 1996 for an innovative feature in PC Pro called “Internet Threats”. In 2011, I won the Enigma Award for my lifelong contribution to computer security journalism. Contact me with confidence [email protected] if you have a story to reveal or a search to share.