Microsoft still hasn't fixed US$100,000 bounty bug

News by Tim Ring

Some eight months after discovery and paying a bug bounty of US100,000, Microsoft Windows remains vulnerable to the weakness found by James Forshaw.

Microsoft has still not fixed a major Windows platform vulnerability that was revealed more than eight months ago by British security researcher James Forshaw, earning him a record US$100,000 (£58,776) bug bounty award from Microsoft.

Forshaw, head of vulnerability research at UK-based Context Information Security, has gone public on the problem in a blog post this week.

Last October, when he received his award, he vowed not to reveal any details of the mitigation bypass technique until Microsoft addressed it, but has now relented after other security researchers including Fortinet, came across the same problem and blogged about it.

Forshaw says the attack technique he discovered works by exploiting the way Microsoft's Component Object Model (COM) software components standard works, enabling attackers to disable the security checks that test whether a COM object is safe or not.

Attackers can then write COM objects which include potentially dangerous functionality, such as arbitrary script code execution.

The ‘proof of concept' attack that Forshaw describes in his blog targets the COM objects implemented in Microsoft's MSXML libraries, which are installed by default in Windows 8.1.

Such objects, he said “are pretty much considered de-facto secure, as without them some websites would break; therefore there are no issues with site-locking or blacklisting. They can even be created in the immersive version of Internet Explorer without issue.”

But Forshaw told that, apart from Windows and IE, the technique is “widely applicable” – explaining the record award he received for discovering it.

He explained: “It would, in theory, work on any browser, any platform, any system; it's not a Windows-specific vulnerability. In the particular instance I described there is a higher risk associated with it because of the way in which they've constructed the platform effectively so in this particular case it was very specific to IE, but the general technique is not specific.”

Forshaw confirmed that Microsoft has not yet fixed the problem, telling journalists: “It is a more general problem, which is difficult to fix in a simple way.”

He added: “There is no indication of how or when the fixes will be available but when they do come they will probably be across the board in various different technologies.”

Commenting on the time-lag in fixing the issue, industry expert Graeme Batsman, security director of EncSec, was critical of Microsoft.

He told SC UK via email: “With £100,000 being paid out and a fair bit of online media coverage you would think Microsoft would have fixed it and sent a patch out on their frequent cycles. Clearly if the good guys and girls have found a flaw and reported it, the bad guys and girls could have found one and of course they would have not reported it. Think of OpenSSL.”

Batsman added: “Microsoft's security reputation is poor, we all know that. Just look at Windows Defender (MSE) poor catch rates last year. Windows operating systems are made up of tens of millions of lines of code - like anything big there will be flaws like the one James Forshaw spotted last year.

“Exploits, mainly drive-by-downloads, are very much a problem. Java, Flash, PDF and recently Silverlight are the main culprits, not Microsoft core technology in a large percentage of these. Of course Internet Explorer is still exploited but Java is typically at the top.”

Forshaw told SC UK that Microsoft has made some visible progress since October, for example modifying one of Internet Explorer's core components, the scripting engine.

But he added: “Basically the only way they can realistically fix it is to take each piece of vulnerable software in turn and re-engineer it.”

Forshaw warned that the exploitation technique shows that : “No matter how well exploit mitigations are put into place in any platform there's always going to be vulnerabilities and there's always going to be ways of exploiting those vulnerabilities even with something that you wouldn't immediately believe is exploitable.”

But on the positive side he said: “The fact that it's a potentially complex attack - it requires a lot of effort to use this bypass in a useful way to exploit a target - is an indication that software is getting more secure, it is becoming more difficult. The cost of exploiting vulnerabilities is just getting more expensive.”

Forshaw added that his test case only worked reliably on 32-bit versions of Internet Explorer, not 64-bit.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews