This week saw security researchers announcing, not one, but two vulnerabilities within Microsoft products. Despite being warned months previously of the problems by different security labs, Microsoft has either decided to ignore them or decide that they are not a problem. The first vulnerability relates to Microsoft’s Edge browser while the second vulnerability is found within the Window’s kernel. Earlier in the year, the tech giant responded well and patched vulnerabilities in conjunction with other security firms. This led many to believe Microsoft was trying to turn the leaf with regards to security issues of which they had been criticised for previously. With the latest vulnerabilities, it seems that the leaf has remained unturned.
Researchers at Cisco Talos discovered a vulnerability in Edge which related to the Content Security Policy enforcement feature within the browser. Apple’s Safari browser and Google’s Chrome browser were discovered to have similar vulnerabilities. Unlike Microsoft, both Apple and Google patched the vulnerabilities. The patches are Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), administrators are advised to make sure the latest patches are downloaded and installed if the above-mentioned browsers are used.
The vulnerability essentially allows for the bypassing of the Content Security Policy (CSP). The CSP is one of the measures employed to enforce Same-Origin Policy (SOP) inside browsers. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. Thus, this policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Bug in Window’s Kernel
In the second vulnerability released into the public domain, malware developers could what appears to be a programming error found within the Window’s Kernel. The programming error if exploited would prevent security software from detecting malicious code as a threat if loaded through runtime. The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The attacker, in theory, could exploit the bug in such a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.
This issue came to light when discovered by researchers at enSilo. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, states that the issue affects all Window’s products released in the last 17 years, beginning with Window 2000. Misgav’s test revealed that even the most recent releases of Windows 10 still have the bug. The PsSetLoadImageNotifyRoutine notification mechanism as a way to programmatically notify app developers of newly registered drivers. Because the system could also detect when a PE image was loaded into virtual memory, the mechanism was also integrated with anti-virus software as a way to detect some types of malicious operations.
Misgav went on record and in an email to Bleeping Computer to confirm that they had notified Microsoft’s Security Response Center when the issue was discovered at the beginning of the year. In correspondence with Microsoft, the giant has not deemed the issue a security problem. The biggest problem is that it doesn’t affect Microsoft’s products but rather the effectiveness of security products installed on a user’s system in conjunction with the operating system in question. Misgav acknowledges that not all third party products use the PsSetLoadImageNotifyRoutine to detect malicious code or activity and they have not tested any particular security program in particular.
Inconsistencies in Microsoft’s response
While these vulnerabilities may not rank as serious as some of the zero day events and potential pitfalls seen recently, Microsoft’s lack of response to the questions raised can be seen as perplexing. Once the ShadowBrokers released a score of vulnerabilities and hacking tools into the wild, Microsoft rushed to release patches which would prevent, EternalBlue for example, from affecting a user’s system. Their response was hailed by many as a good example of best practices been used for good. In May of this year, Google’s Project Zero found a bug within Windows that left over a billion PCs open to potential attack. The following Monday a patch was released by Microsoft to again shore up their flagship operating system. Again many researchers and journalists hailed Microsoft for adhering to best practice procedures. Some more hopeful saw this as a true beginning signaling corporations often in competition with one another working together to better secure products and help prevent users from becoming victims.
This time it is hard to look favorably on Microsoft’s actions. In the Edge vulnerability, Microsoft ignored warnings. Microsoft contended that the vulnerability is a design feature of the browser rather than a security issue. This despite Apple and Google patching similar vulnerabilities in their products. With the bug found in the Window’s kernel, Microsoft again did not think the matter a security issue yet again. The matter was deemed enough of an issue for researchers to publish their findings after giving Microsoft numerous months to correct the problems discovered. To an outsider, it appears Microsoft responses to security issues is inconsistent at best and hazardous in a worst case scenario.