The world’s most widely used operating system, Windows by Microsoft, is still marred by a high number of security vulnerabilities. One of the Windows bugs patched in the January 2022 Patch Tuesday existed in the wild for two years. What is possibly going wrong at the second-most valued company by market cap?
It would seem Microsoft is hell-bent on keeping its reputation, a rather bad one at that, of retracing its steps when security issues come to light in any of its products. The company is gaining notoriety for releasing software carelessly or without the appropriate level of diligence that modern cybersecurity demands.
Of course, that is not to say software applications and other products by other companies are as clean as a nuclear facility. Like Microsoft, they too have to fix bugs and vulnerabilities when pointed out. However, not many companies’ products, especially the biggest globally, have a track record of being exposed even after a security vulnerability has been in the wild for two years.
For instance, Microsoft released an out-of-band emergency update for previous Windows 10 vulnerabilities known as PringNightmare flaws residing in the print spooler service in Windows in June 2021. However, it was later pointed out by researchers at Carnegie Mellon University that the update does little to fix the grave issue.
Windows print spooler has a history of susceptibility to critical issues. The June/July 2021 revelations in print spooler were the fifth time it came under the limelight, having previously been associated with Evil PrinterOpens a new window , PrintDemonOpens a new window , and FaxHellOpens a new window .
Later in July and August 2021, the company issued another botched update. These new updates fixed the PrintNightmare security issues but caused the Alt-Tab functionality to malfunction, i.e., the ability to switch tabs using Alt + Tab keys. This essentially marked the third consecutive month wherein the IT behemoth blundered the Windows updates.
This time, Microsoft failed to adequately address the vulnerabilities patched in the company’s January 2022 Patch Tuesday, which created more issues. The patches caused issues in VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures and ReFS-formatted removable media failing to mount. The company issued an out-of-band update days after the patch Tuesday earlier in January.
See More: Microsoft Patch Tuesday: Redmond Giant Issues Fixes for a Record 97 Security Flaws
Furthermore, a bug from the list of 97 patched ones, tracked CVE-2022-21882, was vulnerable even after being known for two yearsOpens a new window . Though previously, it was known as CVE-2021-1732. It paints a rather disturbing picture about Microsoft, in that the Redmond giant failed to identify the CVE-2022021882 flaw, which itself is a bypass of the patch for CVE-2021-1732.
Had RyeLv, a security researcher, not discovered it, it is possible that the vulnerability would have gone unnoticed for even longer.
Regarding the just-fixed CVE-2022-21882:
win32k privilege escalation vulnerability,
CVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks— b2ahex (@b2ahex) January 12, 2022Opens a new window
CVE-2022-21882 is crucial because it may allow attackers to access privileges in vulnerable Windows systems. RyeLv details the elevation of privilege vulnerability on a blogOpens a new window .
“The attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. An attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable, and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type. After the final callback, the system does not check whether the window type has changed, and the wrong data is referenced due to type confusion. The difference before and after the flag was modified is that before setting the flag, the system thinks that tagWND.WndExtra saves a user_mode pointer; after the flag is set, the system thinks that tagWND.WndExtra is the offset of the kernel desktop heap, and attacker can control this offset, then cause out-of-bounds R&W.â€
This means that a threat actor could gain Windows administrator privileges on the vulnerable machine. It can also allow the attacker to move laterally within the system and perform admin-level tasks such as creating new administrators, users, and more.
While the CVSS of 7 rates CVE-2022-21882 in the ‘Important’ or ‘High’ category, the threat may be more significant given Microsoft updated the vulnerability tracker pageOpens a new window to indicate it is currently under active exploitation.
This begs the question as to why Gil Dabah, CEO of Israeli privacy company, Piiano, disclosed it when the bug was discovered. He believes that Microsoft pays too little for its bug bounty program.
The reason I didn’t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that’s the story how it went unfixed. @ja_wreckOpens a new window
— Gil Dabah (@_arkon) January 28, 2022Opens a new window
See More: Cybersecurity Specialist: Key Skill Requirements and Salary Expectations
However, that was not always the case. As attested by several researchers, Microsoft’s Bug Bounty Program reduced the payouts April 2020 onwards. “Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀,†warned Marcus Hutchins, aka MalwareTechOpens a new window , an infosec researcher famous for stoppingOpens a new window the Wannacry ransomware attack.
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponseOpens a new window
@msftsecurityOpens a new window pic.twitter.com/sJw3cjsliFOpens a new window— rthhh (@rthhh17) November 9, 2021Opens a new window
A Reddit user went so far as to say that Microsoft “scammed me out of a teams bug bounty.â€
On the other hand, Microsoft also changed how it tests its products before release. Jerry Berg, a senior software development engineer in test or SDET at Microsoft explained some time back that issues in Windows 10 are increasing because Microsoft replaced humans responsible for testing and reporting bugs with virtual test machines.
“These issues would have been found by the test team that was at Microsoft that basically were the gatekeepers, and that’s actually what they called us,†Berg said in the video. “The consumers are now testing this software.†It is unclear what Microsoft’s testing team looks like currently, but it stands to reason that change should be on the cards.
The patches released on January 2022 Patch Tuesday need to be fixed for all vulnerable Windows systems. To avoid loss of functionality, users also need to update respective systems with the out-of-band update issued a few days later.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!