fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows 10 Privacy Settings bug lets users change admin options

Windows 10 Privacy Settings bug lets users change admin options

Windows 10

The Microsoft June 2020 Patch Tuesday consisted of 129 security fixes for critical and important vulnerabilities. Of these, an “Important” and equally ironic vulnerability, tracked as CVE-2020-1296, concerns privilege escalation in the Windows Diagnostics & Feedback settings app: the annoying privacy setting screen is shown to users when setting up or upgrading Windows.

Discovered by security researcher Kushal Arvind Shah of FortiGuard Labs, the vulnerability exists because of how privacy settings are applied across different user accounts, in a broken and inconsistent manner.  

“The root cause for this vulnerability is the lack of Privacy Settings Segregation and the incorrect handling of Windows Diagnostic Data feedback in memory across all users on the Windows 10 platform,” said Shah.

What this means is, when initially installing and configuring Windows 10, the Administrator is presented with a “Diagnostics & Feedback” options screen. From this screen, the administrator can set whether full diagnostic data is sent to Microsoft for analysis, or a basic level of information, in the event of crashes or other anomalies being detected.

Also read: 6 Simple Tips on Cyber Safety at Home

Privacy settings screen
Privacy Settings screen
Source: BleepingComputer

When configuring these settings using an administrator account during a Windows setup or upgrade, the researcher explains that “All Users on the system [are] required to abide by the Diagnostic Data settings chosen/opted-for by the Administrator.”

When an Administrator initially sets a privacy setting, say to send “Full” diagnostic information, the setting is also applied across all standard (non-admin) accounts on the same machine. However, when the standard user logs into their account, they can further configure Diagnostics & Feedback settings for their account.

Source: Bleeping Computer

In the case of this CVE-2020-1296 vulnerability, when toggling between “Basic” and “Full” settings a few times, the standard user is able to override the Administrator’s Diagnostics settings in an unauthorized manner. 

This ability allows the standard user to effectively alter not only their own but also the Administrator account’s Diagnostics & Feedback preferences.

This vulnerability is caused by a race condition as well as a lack of “privacy settings segregation” across user accounts.

Race condition vulnerabilities occur when a user attempts to perform simultaneous operations, but these happen out-of-order, resulting in unintended and often incorrect outcomes. An electronic bank ledger analogy conveys the serious consequences race conditions can have in the real world.

Shah demonstrated this vulnerability in the following YouTube video.

Why does it matter?

At first glance, this may seem like an innocuous flaw.

Why does it matter if a system is sending Full or Basic diagnostics information to Microsoft, which is aggregated in bulk anyway and benefits research efforts at Microsoft?

You’d think, at most, this is a minor access violation.

Things get serious, however when apps like Windows Defender and Microsoft Edge browser rely on these very settings to offer enhanced protection to their users.

Enabling “Full” level of Diagnostics & Feedback reporting enables Windows Defender SmartScreen capability to work.  That means, Defender can constantly monitor web browsing history in an attempt to collect data on malicious domains and threats, and add these to their list of “harmful websites.”

When a standard user account can downgrade the information reporting to a “Basic” level, however, such protections lapse as this data will no longer be communicated to Microsoft.

“Also it can be categorized as a “Security Bypass” vulnerability as it denies new security/feature updates to Windows Insider Users,” stated Shah. “Windows Insider Channel Users are required to have the Diagnostic Data setting set to “Full” to receive any new security/feature updates, and any unauthorized change to this setting denies further Insider Channel updates on that system.” 

In this manner, a standard account user who alters the settings – either unknowingly, or with malicious intent, can hinder enhanced protections for all users present on the system.

The advisory suggests that for remediation, users should install the latest set of Microsoft updates. 

“Due to the important rating of this vulnerability, and its implications with regards to user privacy, we suggest users should apply these Microsoft patches as soon as possible,” Shah recommends.

Information related to this CVE and patches is available at Microsoft’s Security Response Center.

Also read: 7 Key Principles of Privacy by Design that Businesses should adopt

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us