In its latest Patch Tuesday update, Microsoft failed to properly fix a bug in the Windows Local Security Authority Subsystem Service (LSASS). The vulnerability could enable a remote, authenticated attacker to carry out an elevation of privileges attack on a system's LSASS.
- This is the conclusion of Google Project Zero security researcher James Forshaw, who discovered the original flaw. Forshaw tweeted that the parsing of the service principal name (SPN) was incorrect. As long as the system has a proxy configured so an attacker can bypass the fix, it hasn't been fully patched.
- The researcher stressed that the issue is a serious threat in the enterprise environment.
- In his original research on the bug, Forshaw wrote that the LSASS did not correctly enforce the enterprise authentication capability, which could allow any AppContaner to authenticate with the user's credentials.