Windows 10 Privacy Settings bug lets users change admin options

Windows 10 Privacy Settings bug lets users change admin options

The Microsoft June 2020 Patch Tuesday consisted of 129 security fixes for critical and important vulnerabilities. Of these, an “Important” and equally ironic vulnerability, tracked as CVE-2020-1296, concerns privilege escalation in the Windows Diagnostics & Feedback settings app: the annoying privacy setting screen is shown to users when setting up or upgrading Windows.

Discovered by security researcher Kushal Arvind Shah of FortiGuard Labs, the vulnerability exists because of how privacy settings are applied across different user accounts, in a broken and inconsistent manner.  

“The root cause for this vulnerability is the lack of Privacy Settings Segregation and the incorrect handling of Windows Diagnostic Data feedback in memory across all users on the Windows 10 platform,” said Shah.

What this means is, when initially installing and configuring Windows 10, the Administrator is presented with a “Diagnostics & Feedback” options screen. From this screen, the administrator can set whether full diagnostic data is sent to Microsoft for analysis, or a basic level of information, in the event of crashes or other anomalies being detected.

Also read: 6 Simple Tips on Cyber Safety at Home

When configuring these settings using an administrator account during a Windows setup or upgrade, the researcher explains that “All Users on the system [are] required to abide by the Diagnostic Data settings chosen/opted-for by the Administrator.”

When an Administrator initially sets a privacy setting, say to send “Full” diagnostic information, the setting is also applied across all standard (non-admin) accounts on the same machine. However, when the standard user logs into their account, they can further configure Diagnostics & Feedback settings for their account.

In the case of this CVE-2020-1296 vulnerability, when toggling between “Basic” and “Full” settings a few times, the standard user is able to override the Administrator’s Diagnostics settings in an unauthorized manner. 

This ability allows the standard user to effectively alter not only their own but also the Administrator account’s Diagnostics & Feedback preferences.

This vulnerability is caused by a race condition as well as a lack of “privacy settings segregation” across user accounts.

Race condition vulnerabilities occur when user attempts to perform simultaneous operations, but these happen out-of-order, resulting in unintended and often incorrect outcomes. An electronic bank ledger analogy conveys the serious consequences race conditions can have in the real world.

Shah demonstrated this vulnerability in the following YouTube video.

Why does it matter?

At first glance, this may seem like an innocuous flaw.

Why does it matter if a system is sending Full or Basic diagnostics information to Microsoft, which is aggregated in bulk anyway and benefits research efforts at Microsoft?

You’d think, at most, this is a minor access violation.

Things get serious, however when apps like Windows Defender and Microsoft Edge browser rely on these very settings to offer enhanced protection to their users.

Enabling “Full” level of Diagnostics & Feedback reporting enables Windows Defender SmartScreen capability to work.  That means, Defender can constantly monitor web browsing history in an attempt to collect data on malicious domains and threats, and add these to their list of “harmful websites.”

When a standard user account can downgrade the information reporting to a “Basic” level, however, such protections lapse as this data will no longer be communicated to Microsoft.

“Also it can be categorized as a “Security Bypass” vulnerability as it denies new security/feature updates to Windows Insider Users,” stated Shah. “Windows Insider Channel Users are required to have the Diagnostic Data setting set to “Full” to receive any new security/feature updates, and any unauthorized change to this setting denies further Insider Channel updates on that system.” 

In this manner, a standard account user who alters the settings – either unknowingly, or with malicious intent, can hinder enhanced protections for all users present on the system.

The advisory suggests that for remediation, users should install the latest set of Microsoft updates. 

“Due to the important rating of this vulnerability, and its implications with regards to user privacy, we suggest users should apply these Microsoft patches as soon as possible,” Shah recommends.

Information related to this CVE and patches is available at Microsoft’s Security Response Center.

Also read: 7 Key Principles of Privacy by Design that Businesses should adopt