Talos: Here’s a serious Windows bug. Microsoft: Chill, it’s not that serious

Cisco’s Talos security limb has announced a new Microsoft Windows vulnerability and appears to have gone public because it feels Microsoft isn’t taking things seriously.

Microsoft’s aware of the vulnerability, but yesterday, the date on this advisory, Redmond still described the bug as “not disclosed”.

Windows Security

Microsoft reveals which Windows bugs it might decide not to fix

READ MORE

That changed with this disclosure by Cisco’s Talos Intelligence. The company’s Marcin Noga says the bug relates to the DLL that handles Windows Imaging Format (WIM) files.

Windows uses the wimgapi DLL to work on WIM files, which use a proprietary disk image format designed to simplify Windows deployments.

“If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack,” Noga wrote.

Talos provides extra detail here. The bug in wimgapi is in a function called LoadIntegrityInfo, which parses the WIM file header.

“The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing. It triggers just after we try to obtain a WIM file handle via:

hWim = WIMCreateFile(pszWimFile.c_str(), // Path to existing .wim file WIM_GENERIC_READ, // Access mode WIM_OPEN_EXISTING, // Open disposition dwCreateFlags, 0, // Compression type is ignored for WIM_OPEN_EXISTING. &dwCreateResult);

After more work, the attacker reaches a point where there’s a “fully controllable heap corruption” giving the attacker remote code execution.

Talos’ decision to disclose may be because its assessment of the severity of the bug is higher than Microsoft’s. Talos gives the vulnerability a CVSSv3 (Common Vulnerability Scoring System) score of 8.8 and describes it as network-exploitable, low attack complexity, and exploitable by an unprivileged attacker – if they can trick the victim into interacting with the file. Talos rates its impacts on confidentiality, integrity, and system availability as high.

Microsoft, on the other hand, scored it lower (base 7.3, temporal 6.6), most likely because it assessed the vulnerability as being available only to local attackers.

Talos’ disclosure notes that they first advised Microsoft of the vulnerability on March 27, 2018.

The bug affects various Windows 10, Windows 8.1, and Windows Server editions. ®

Sponsored: Minds Mastering Machines – Call for papers now open

READ MORE HERE