Google's Project Zero tweaking Microsoft, because it did fix a bug
Redmond said it wouldn't fix a flaw, then did it on the sly
For once, a Google Project Zero bug report to Microsoft has resulted in a fix without a public spat. Indeed, this fix happened without any public announcement at all.
Back in 2014, Project Zero's James Forshaw told Redmond he'd found a Windows Kernel Object Manager bug that permitted a “limited bypass of traverse permissions” – because it enabled a Chrome sandbox escape.
The problem was in how the
SeFastTraverseCheck method's behaviour, and Forshaw originally said he didn't “really expect this will be considered a bulletin class issue, if it's considered an issue at all”.
He was right: a year later, he opened the post because Redmond put it in the “won't fix” basket – but sometime since 2015, a fix happened, which Forshaw notes explains what he first saw.
It turns out the bug was in another component,
SeFastTraverseCheck is doing a check for the TOKEN_IS_RESTRICTED flag and failing early (which would lead to a bypass of traversal privileges for Chrome etc.) however
SeCreateAccessState was never setting that flag in the ACCESS_STATE Flags member which means that the check was bypassed.”
The fix would have passed entirely without notice, had Foreshaw been able to resist taking a dig at Microsoft:
His post on the Chrome blog nails the fix as necessary as far back as November 2015, Windows 10 build 10586. ®