However, it appears yesterday's Patch Tuesday update did not completely fix the bug. With the deadline expired, Google has made the bug public, which is standard policy to urge software makers to release fixes sooner.
Google Project Zero's security researcher James Forshaw states that:Full details at Neowin.
What this means is that an AppContainer can perform Network Authentication as long as it specifies a valid target name to InitializeSecurityContext, it doesn’t matter if the network address is a registered proxy or not. This is probably not by design, but then this behavior only warrants a few throw away comments with no in depth detail on how it’s supposed to behave, maybe it is by design.
The result, as you can specify any Target Name you like you could authenticate to a network facing resource as long as the Application has network access capabilities which aren’t really restricted. Also as you can specify any target name, and you’re doing the actual authentication then server protections such as SPN checking and SMB Signing are moot.
Forshaw explains that theoretically, a local attacker can utilize this by using Classic Edge to access localhost services due to the backdoor in Firewall APIs, and then finding a system service to escape.