Vulnerability in Microsoft CTF protocol goes back to Windows XP

  1. Brink's Avatar
    Posts : 41,331
    64-bit Windows 10 Pro build 18963
       #1

    Vulnerability in Microsoft CTF protocol goes back to Windows XP


    CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease.

    According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.

    WHAT IS CTF?

    What CTF stands is currently unknown. Even Ormandy, a well-known security researchers wasn't able to find what it means in all of Microsoft documentation.

    What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications.

    When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods.

    If the OS input method changes from one language to another, then the CTF server notifies all CTF clients, who then change the language in each Windows app accordingly, and in real-time...



    Read more: Vulnerability in Microsoft CTF protocol goes back to Windows XP | ZDNet
    Last edited by Brink; 3 Days Ago at 09:51.
      My ComputersSystem Spec


 

Related Threads
Read more: https://www.kb.cert.org/vuls/id/906424 https://www.theregister.co.uk/2018/08/28/windows_0day_pops_up_out_of_span_classstrikenowherespan_twitter/
Source: Introducing the Microsoft Edge DevTools Protocol - Microsoft Edge Dev Blog
I see its disabled...and when try check box to enable it, message said it will forcibly disable it. do I need this to be checked on or allow it to stay off? 114868
Read more: New Microsoft Edge vulnerability discovered, leaks password and cookie data, such as Twitter and Facebook passwords | On MSFT Update: Microsoft responds to 3 unpatched Microsoft Edge vulnerabilities, no fixes available yet | On MSFT
Read more: http://www.theinquirer.net/inquirer/news/3005533/google-outs-severe-microsoft-edge-vulnerability-after-firm-misses-90-day-fix-deadline
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 08:28.
Find Us