Connect with us

Hi, what are you looking for?



Google Discloses Details of Unpatched Windows AppContainer Flaw

Google disclosed the details of a Windows ​​AppContainer flaw after Microsoft said it would not fix it, but the software giant later reversed course and said it could address it after all.

Google disclosed the details of a Windows ​​AppContainer flaw after Microsoft said it would not fix it, but the software giant later reversed course and said it could address it after all.

Google Project Zero researcher James Forshaw on Thursday published a blog post describing his research into the Windows firewall and AppContainer, which Microsoft describes as a restrictive process execution environment that prevents applications running within this environment from accessing hardware, files, registry, other apps, and network resources that they are not specifically allowed to access.

“Applications implemented in an AppContainer cannot be hacked to allow malicious actions outside of the limited assigned resources,” Microsoft says in its documentation for AppContainer.

However, Forshaw claims to have discovered a way to bypass these restrictions, potentially enabling an attacker to access services on the localhost and intranet resources.

“The default rules for the [Windows Filtering Platform (WFP)] connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege,” Forshaw explained in an advisory, which also includes proof-of-concept (PoC) exploit code.

Forshaw reported his findings to Microsoft on July 8, but the tech giant told him roughly 10 days later that it would not be fixing it due to the fact that exploitation requires compromising an AppContainer.

According to Google Project Zero rules, the details of a vulnerability are disclosed after 90 days if a fix is not released. However, in this case the bug report was made public much sooner, on July 19, due to Microsoft saying it would not be issuing a fix — bug reports in these situations are made public by Project Zero so that the vendor’s decision can be discussed by everyone.

Advertisement. Scroll to continue reading.

However, just before Forshaw published a blog post detailing his findings on Thursday, Microsoft informed him that it “decided to continue working on this issue.” SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

It’s not uncommon for Google to disclose the details of vulnerabilities that Microsoft has failed to patch within a certain timeframe, including actively exploited flaws. Google’s strict disclosure deadlines have occasionally drawn criticism from Microsoft and others for putting users at risk.

UPDATE: Microsoft has provided the following statement: “We evaluated and are doing what is necessary to keep our customers safe and protected.”

Related: Google Discloses Details of Remote Code Execution Vulnerability in Windows

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Google: Microsoft Improperly Patched Exploited Windows Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.