This week, headlines blew up with warnings of a design flaw in the CTF subsystem (msctf) of the Windows Text Services Framework that affects all current Windows systems and those going back as far as twenty years. While the news hasn’t reached the Meltdown/Spectre level, IT teams are already scrambling to implement the partial fix issued by Microsoft on Tuesday. Successful exploitation of a CTF vulnerability can lead to a full system compromise that, currently, would go completely undetected by antivirus, EDR and other endpoint detection solutions.
Tavis Ormandy, the Google Project Zero security researcher that discovered and disclosed the flaw to Microsoft in May, published a full overview here (after the 90-day responsible disclosure period was up). He also released a POC attack and video that demonstrate just how dangerous these msctf flaws can be.
Here at Morphisec Labs we wanted to see how Morphisec’s Moving Target Defense stood up to this latest, but certainly not the last, security risk revelation.
This video demonstrates how CTF issues can be easily exploited to gain remote access on a targeted machine, in this instance by using exploitation that Ormandy developed. It then shows how Morphisec fully prevented exploitation of the CTF susceptibility from day zero, no updates, no patches, no prior knowledge needed.
The first rule is always to implement available Windows OS patches as soon as possible. Microsoft has already issued a patch that fixes one of the CTF issues, tracked as CVE-2019-1162, in its August Patch Tuesday update. But even with the patch implemented, Windows users are exposed to other msctf flaws – unless they have Morphisec.
Morphisec protects against CTF vulnerabilities by preventing the execution of any exploit targeting them, no prior knowledge of the attack technique needed.