Security Experts:

Connect with us

Hi, what are you looking for?



Google Discloses Details of Unpatched Windows AppContainer Flaw

Google disclosed the details of a Windows ​​AppContainer flaw after Microsoft said it would not fix it, but the software giant later reversed course and said it could address it after all.

Google disclosed the details of a Windows ​​AppContainer flaw after Microsoft said it would not fix it, but the software giant later reversed course and said it could address it after all.

Google Project Zero researcher James Forshaw on Thursday published a blog post describing his research into the Windows firewall and AppContainer, which Microsoft describes as a restrictive process execution environment that prevents applications running within this environment from accessing hardware, files, registry, other apps, and network resources that they are not specifically allowed to access.

“Applications implemented in an AppContainer cannot be hacked to allow malicious actions outside of the limited assigned resources,” Microsoft says in its documentation for AppContainer.

However, Forshaw claims to have discovered a way to bypass these restrictions, potentially enabling an attacker to access services on the localhost and intranet resources.

“The default rules for the [Windows Filtering Platform (WFP)] connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege,” Forshaw explained in an advisory, which also includes proof-of-concept (PoC) exploit code.

Forshaw reported his findings to Microsoft on July 8, but the tech giant told him roughly 10 days later that it would not be fixing it due to the fact that exploitation requires compromising an AppContainer.

According to Google Project Zero rules, the details of a vulnerability are disclosed after 90 days if a fix is not released. However, in this case the bug report was made public much sooner, on July 19, due to Microsoft saying it would not be issuing a fix — bug reports in these situations are made public by Project Zero so that the vendor’s decision can be discussed by everyone.

However, just before Forshaw published a blog post detailing his findings on Thursday, Microsoft informed him that it “decided to continue working on this issue.” SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

It’s not uncommon for Google to disclose the details of vulnerabilities that Microsoft has failed to patch within a certain timeframe, including actively exploited flaws. Google’s strict disclosure deadlines have occasionally drawn criticism from Microsoft and others for putting users at risk.

UPDATE: Microsoft has provided the following statement: “We evaluated and are doing what is necessary to keep our customers safe and protected.”

Related: Google Discloses Details of Remote Code Execution Vulnerability in Windows

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Google: Microsoft Improperly Patched Exploited Windows Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.