The Google Project Zero team identified a flaw in the Windows Local Security Authority Subsystem Service that would allow an attacker to bypass Enterprise Authentication in order to elevate their privileges (via Neowin).
- Best business laptops in 2020
- Work from home essentials: Save on laptops, monitors, furniture and more
- Best cheap MacBook deals of August 2020
The flaw allows apps via the legacy Windows AppContainer to grant access to Enterprise Authentication using single sign-on, something that is meant to be a restricted capability and not automatically granted to a Windows Store app.
Microsoft's own advisory on the issue indicates that a "remote attacker who successfully exploited this vulnerability could cause an elevation of privilege on the target system's LSASS service." A proof of concept built by the researcher who discovered the problem illustrates how he was able to connect to the local SMB server and list the network shares despite not having the appropriate privileges to do so.
The problem was originally identified by Google Project Zero back on May 5, but it's standard practice to give the company 90-days to fix the issue before it is made public. Google actually offered an additional grace period for Microsoft to include a fix in its Patch Tuesday rollout that happened yesterday.
While Microsoft did include a fix for the problem in that update, it fell short of correcting it entirely. The lingering issue relates to a secondary piece of the flaw involving a DsCrackSpn2 call that was not fixed. This minimized the problem further as it now requires the system to have a configured proxy, but as this is common for enterprise users, it leaves the most security-conscious Windows 10 users at risk.
Microsoft has not given any guidance on when a fix for this remaining issue will be released and, according to its advisory, it affects Windows Server 2012, 2016, 2019, Windows RT 8.1, Windows 8.1 and Windows 10 through version 2004.