According to the Chromium blog, Google notified Microsoft about severe flaws in its .NET components that would allow an attacker to bypass lockdown.
The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard)
The flaw was reported to Microsoft in January of this year. After missing the deadline for a fix in its April security patches, Microsoft requested an extension, suggesting that the fix would be forthcoming in its newest Windows 10 Feature Update.
The extension was denied by Google.
Timeline of events:
>-> 2018-01-19: Reported issue to firstname.lastname@example.org and received MSRC case number 43182
<- 2018-02-10: MSRC indicates that the issue has been reproduced and will determine if it’s to be fixed.
<- 2018-02-12: MSRC indicates that due to unforeseen code relationship this will not be fixed in April PT
<- 2018-04-02: MSRC requests the 14 day extension.
-> 2018-04-02: Informed MSRC that as the issue will not be fixed with 90+14 days then the grace extension does not apply.
<- 2018-04-05: MSRC again requests withholding of disclosure until 2018-05-08, giving more context on the deadline miss.
-> 2018-04-06: Informed MSRC that this isn’t possible. Made it clear that the issue isn’t particularly serious and other .NET based DG bypasses are still unfixed.
<- 2018-04-11: MSRC again requests grace extension based on the upcoming release of RS4 which will have the fix
-> 2018-04-12: Informed MSRC that as there’s no firm date for RS4 this couldn’t be applied, and RS4 wouldn’t be considered a broadly available patch per the disclosure conditions.
-> 2018-04-19: Issue exceeds deadline.
Incidentally, Microsoft has also missed the original deadline for delivering Windows 10 April Update.
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!