Microsoft is experimenting with a major new security mitigation to thwart a surge in cyberattacks hitting flaws in the Windows Common Log File System (CLFS).
The Redmond, Wash. software maker plans to add a new verification step to parsing CLFS logfiles as part of a deliberate effort to cover one of the most attractive attack surfaces for APTs and ransomware attacks.
Over the last five years, there have been at least 24 documented vulnerabilities in CLFS, the Windows subsystem used for data and event logging, pushing the Microsoft Offensive Research & Security Engineering (MORSE) team to design an operating system mitigation to address a class of vulnerabilities all at once.
The mitigation, which will soon be fitted into the Windows Insiders Canary channel, will use Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS logfiles, according to a Microsoft note describing the exploit roadblock.
“Rather than continuing to address single issues as they are discovered, [we] worked to add a new verification step to parsing CLFS logfiles, which aims to address a class of vulnerabilities all at once. This work will help protect our customers across the Windows ecosystem before they are impacted by potential security issues,” according to Microsoft software engineer Brandon Jackson.
Here’s a full technical description of the mitigation:
“Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when logfiles have been modified by anything other than the CLFS driver itself. This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the logfile. An HMAC is a special kind of hash that is produced by hashing input data (in this case, logfile data) with a secret cryptographic key. Because the secret key is part of the hashing algorithm, calculating the HMAC for the same file data with different cryptographic keys will result in different hashes.
Just as you would validate the integrity of a file you downloaded from the internet by checking its hash or checksum, CLFS can validate the integrity of its logfiles by calculating its HMAC and comparing it to the HMAC stored inside the logfile. As long as the cryptographic key is unknown to the attacker, they will not have the information needed to produce a valid HMAC that CLFS will accept. Currently, only CLFS (SYSTEM) and Administrators have access to this cryptographic key.”
To maintain efficiency, particularly for large files, Jackson said Microsoft will be employing a Merkle tree to reduce the overhead associated with frequent HMAC calculations required whenever a logfile is modified.
Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers
Related: Microsoft Raises Alert for Under-Attack Windows Flaw
Related: Anatomy of a BlackCat Attack Through the Eyes of Incident Response
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
