Google discloses bug in Windows after incomplete Patch Tuesday fix

Details of a medium severity security vulnerability in Microsoft's Windows operating system were made public by Google's Project Zero security team. The latter reported the bug to Microsoft on May 5, 2020. Google uses a standard 90-days deadline and also gave Microsoft an extra grace period so the software giant could patch the vulnerability via August's Patch Tuesday cycle.

However, it appears yesterday's Patch Tuesday update did not completely fix the bug. With the deadline expired, Google has made the bug public, which is standard policy to urge software makers to release fixes sooner.

Google Project Zero's security researcher James Forshaw states that:

What this means is that an AppContainer can perform Network Authentication as long as it specifies a valid target name to InitializeSecurityContext, it doesn’t matter if the network address is a registered proxy or not. This is probably not by design, but then this behavior only warrants a few throw away comments with no in depth detail on how it’s supposed to behave, maybe it is by design.

The result, as you can specify any Target Name you like you could authenticate to a network facing resource as long as the Application has network access capabilities which aren’t really restricted. Also as you can specify any target name, and you’re doing the actual authentication then server protections such as SPN checking and SMB Signing are moot.

Forshaw explains that theoretically, a local attacker can utilize this by using Classic Edge to access localhost services due to the backdoor in Firewall APIs, and then finding a system service to escape.

Full details at Neowin.