Google disclosed the details of a Windows AppContainer flaw after Microsoft said it would not fix it, but the software giant later reversed course and said it could address it after all.
Google Project Zero researcher James Forshaw on Thursday published a blog post describing his research into the Windows firewall and AppContainer, which Microsoft describes as a restrictive process execution environment that prevents applications running within this environment from accessing hardware, files, registry, other apps, and network resources that they are not specifically allowed to access.
“Applications implemented in an AppContainer cannot be hacked to allow malicious actions outside of the limited assigned resources,” Microsoft says in its documentation for AppContainer.
However, Forshaw claims to have discovered a way to bypass these restrictions, potentially enabling an attacker to access services on the localhost and intranet resources.
“The default rules for the [Windows Filtering Platform (WFP)] connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege,” Forshaw explained in an advisory, which also includes proof-of-concept (PoC) exploit code.
Forshaw reported his findings to Microsoft on July 8, but the tech giant told him roughly 10 days later that it would not be fixing it due to the fact that exploitation requires compromising an AppContainer.
According to Google Project Zero rules, the details of a vulnerability are disclosed after 90 days if a fix is not released. However, in this case the bug report was made public much sooner, on July 19, due to Microsoft saying it would not be issuing a fix — bug reports in these situations are made public by Project Zero so that the vendor’s decision can be discussed by everyone.
However, just before Forshaw published a blog post detailing his findings on Thursday, Microsoft informed him that it “decided to continue working on this issue.” SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.
It’s not uncommon for Google to disclose the details of vulnerabilities that Microsoft has failed to patch within a certain timeframe, including actively exploited flaws. Google’s strict disclosure deadlines have occasionally drawn criticism from Microsoft and others for putting users at risk.
UPDATE: Microsoft has provided the following statement: “We evaluated and are doing what is necessary to keep our customers safe and protected.”