The first of these vulnerabilities, which affects all Windows Vista/Server2008 systems and above, meaning basically all systems still in operation, has already been patched by Microsoft, with the others coming later.
Field Effect, an Ottawa-based cyber security company, which provides threat protection services specifically focused on the underserved SMB market, has announced that their security research team has discovered a series of critical zero-day security vulnerabilities which could be exploited to give attackers swift kernel-level privileges in Windows Vista/Server 2008 and all newer releases. These were reported to Microsoft in early May. Microsoft issued patches for the first vulnerability, CVE-2021-34514, in its Patch Tuesday update of July 13, 2021. Patches for the remaining vulnerabilities are scheduled for the fall.
“This patch was the first of a series of vulnerabilities that we disclosed to Microsoft that deal with possible privilege escalations,” said Matt Holland, Field Effect’s Founder, CEO, and CTO. “They allow an attacker to upgrade privilege level from basic sandbox level, which is highly protected, to full kernel access. It’s the equivalent of going from 0 to 60 easily, and definitely gives the attacker the upper hand. We have updated our Covalence platform to protect against these vulnerabilities, but if an attacker were to find the vulnerabilities in the absence of this kind of protection, it would be very difficult to defend, because the attacker can go from the lowest execution level to the OS kernel so quickly. It is a potential disaster.”
The CVE-2021-34514 vulnerability was discovered by Erik Egsgard, Field Effect’s principal security researcher. It is a race condition vulnerability and resides in the Advanced Local Procedure Call (ALPC) facility of the Windows kernel (ntoskrnl.exe).
“This and these other vulnerabilities have been in every system since Vista,” Holland said. “However, unless you are a professional, you would not know how to identify these kinds of bugs, which is how they have remained undetected for so long, by Microsoft and by everybody else. It comes down to the calibre of the security team, and there are simply not enough people of this calibre in the industry.”
Holland noted as well, that while many cybersecurity companies have announced their discovery of Microsoft vulnerabilities in the past, to his knowledge, Field Effect is the first Canadian one to do so.
“We believe that it is a first for the country,” he said.
Holland said that Microsoft delaying the release of the later patches reflects their perspective as a vendor.
“They are concerned that there are potential consequences if you rush a patch, particularly around introducing new bugs,” he stated. “We gave them advice on how to fix it, so we think it shouldn’t really take that long, but we know they have a different perspective on it than we do.”
Field Effect is noteworthy in its space by its explicit focus on the SMB market, which has typically seen this kind of solution as too pricey or too complex for them.