[German]Another brief addendum to a topic that has been on my stack for a few days already. James Forshaw from Google Project Zero disclosed a vulnerability in Windows AppContainers as early as mid-August 2021, which allows communication via the firewall in the network. After Microsoft was informed about the vulnerability, it said that it would not provide a patch. Recently, however, Microsoft rowed back and announced a patch to Forshaw. James Forshaw from Project Zero has since made the vulnerability and the details of the security hole public.
Advertising
I had already seen the whole thing about 2 weeks ago on SecurityWeek, but then became aware of the issue again via Twitter.
The problem is quickly outlined: Microsoft writes that applications in an AppContainer cannot be hacked to allow malicious actions outside of limited allocated resources. However, security researcher James Forshaw of Google Project Zero has discovered a vulnerability in the Windows AppContainer that allows applications to bypass firewall rules.
Firewall rules can be bypassed
In a blog post Understanding Network Access in Windows AppContainers, he describes how he looked into the inner workings of the Windows Firewall. The firewall is used to enforce restrictions. This includes rules about whether applications from AppContainer sandboxes, for example, are allowed or allowed to access the network.
In this context, it is interesting to see whether it is possible to bypass network restrictions in AppContainer sandboxes. In such a scenario, the attack surface of a malicious application running in the AppContainer increases. For example, the application gets the opportunity to access services via localhost or attempt to access intranet resources in an enterprise.
Advertising
Since the mechanism Windows Firewall uses to restrict access to the network from an AppContainer is probably not officially documented, Forshaw describes the details of how the restrictions are implemented.
During his investigation, the security researcher then discovered a configuration issue associated with Windows Firewall. This makes it possible to bypass the firewall's restrictions on communication and allow an AppContainer process to access the network. The details are described in the blog post Understanding Network Access in Windows AppContainers.
Microsoft does not want to patch at first
Forshaw then notified Microsoft of his discovery on July 8, 2021. Unfortunately, Microsoft already decided on July 19 that this problem did not meet the requirements of a security bulletin.
Microsoft's reasoning was that since the apps in the AppContainer cannot be hacked, a compromised app would already have to be injected there to exploit the vulnerability. So it's not really a security issue. The report was flagged as a WontFix.
However, after Forshaw posted his findings on Google Project Zero on July 9, 2021, and probably based on Microsoft's response, published it on July 19, 2021, Microsoft did an about-face. Redmond told Forshaw that they would develop a patch after all. In the meantime, however, Forshaw has disclosed his findings with full details in the blog post Understanding Network Access in Windows AppContainer. I don't know, when a patch will come from Microsoft.
Advertising