Security News > 2020 > August > Microsoft's Patch for LSASS Flaw Incomplete, Google Researcher Says

Microsoft failed to properly address an elevation of privilege vulnerability in the Windows Local Security Authority Subsystem Service, the Google Project Zero researcher who discovered the issue says.
"LSASS doesn't correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials," Project Zero security researcher James Forshaw noted in May. At the time, the researcher explained that the issue is related to a legacy AppContainer capability providing access to the Security Support Provider Interface, likely meant to facilitate the installation of line of business applications within enterprise environments.
Authentication should be allowed only if the target specified in the call is a proxy, but Forshaw discovered that the authentication would be allowed even if the network name doesn't match a registered proxy.
"What this means is that an AppContainer can perform Network Authentication as long as it specifies a valid target name to InitializeSecurityContext, it doesn't matter if the network address is a registered proxy or not," the researcher explains.
Microsoft, which rates the vulnerability as important, released a fix for supported versions of Windows and Windows Server on August 2020 Patch Tuesday.
News URL
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Twin Google flaws allowed researcher to get from YouTube ID to Gmail address in a few easy steps (source)
- Google paid $12 million in bug bounties last year to security researchers (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft wouldn't look at a bug report without a video. Researcher maliciously complied (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)