Flawed Microsoft CTF Protocol Could Provide Admin Credentials and Take Over Systems

Google security researcher Tavis Ormandy discovered that the CTF protocol used by Microsoft operating systems going back to Windows XP can be exploited to provide threat actors with elevated privileges and control over an affected system. The problem lies in the way Microsoft CTF (MSCTF) clients and servers communicate with each other. MSCTF is a protocol in the Text Services Framework (TSF) in Windows that manages input methods, keyboard layouts, text processing, and speech recognition. Since there is no access control or authentication, the successful exploitation of the protocol’s vulnerabilities could allow malicious actors to remotely take control of systems, execute arbitrary code, install programs, access and modify data, and create new accounts with full user permissions.

The NJCCIC recommends users and administrators immediately apply updates to vulnerable systems after appropriate testing. Microsoft addressed the CTF protocol vulnerability CVE-2019-1162 in this week’s Patch Tuesday updates and provides details in their Security Update Guide. We encourage users to review the Google blog for more information and technical demos.