The first of these vulnerabilities, which affects all Windows Vista/Server2008 systems and above, meaning basically all systems still in operation, has already been patched by Microsoft, with the others coming later.
Field Effect, an Ottawa-based cyber security company, which provides threat protection services specifically focused on the underserved SMB market, has announced that their security research team has discovered a series of critical zero-day security vulnerabilities which could be exploited to give attackers swift kernel-level privileges in Windows Vista/Server 2008 and all newer releases. These were reported to Microsoft in early May. Microsoft issued patches for the first vulnerability, CVE-2021-34514, in its Patch Tuesday update of July 13, 2021. Patches for the remaining vulnerabilities are scheduled for the fall.
“This patch was the first of a series of vulnerabilities that we disclosed to Microsoft that deal with possible privilege escalations,” said Matt Holland, Field Effect’s Founder, CEO, and CTO. “They allow an attacker to upgrade privilege level from basic sandbox level, which is highly protected, to full kernel access. It’s the equivalent of going from 0 to 60 easily, and definitely gives the attacker the upper hand. We have updated our Covalence platform to protect against these vulnerabilities, but if an attacker were to find the vulnerabilities in the absence of this kind of protection, it would be very difficult to defend, because the attacker can go from the lowest execution level to the OS kernel so quickly. It is a potential disaster.”
The CVE-2021-34514 vulnerability was discovered by Erik Egsgard, Field Effect’s principal security researcher. It is a race condition vulnerability and resides in the Advanced Local Procedure Call (ALPC) facility of the Windows kernel (ntoskrnl.exe).
“This and these other vulnerabilities have been in every system since Vista,” Holland said. “However, unless you are a professional, you would not know how to identify these kinds of bugs, which is how they have remained undetected for so long, by Microsoft and by everybody else. It comes down to the calibre of the security team, and there are simply not enough people of this calibre in the industry.”
Holland noted as well, that while many cybersecurity companies have announced their discovery of Microsoft vulnerabilities in the past, to his knowledge, Field Effect is the first Canadian one to do so.
“We believe that it is a first for the country,” he said.
Holland said that Microsoft delaying the release of the later patches reflects their perspective as a vendor.
“They are concerned that there are potential consequences if you rush a patch, particularly around introducing new bugs,” he stated. “We gave them advice on how to fix it, so we think it shouldn’t really take that long, but we know they have a different perspective on it than we do.”
Field Effect is noteworthy in its space by its explicit focus on the SMB market, which has typically seen this kind of solution as too pricey or too complex for them.
“No one has really solved the cybersecurity problem anywhere, let alone for SMBs,” Holland said. “This company was created by people doing this in some form or fashion for several decades in support of government agencies, and we figured out the formula to bring it to SMBs successfully. Threat intelligence is a part of our service, but we don’t hang our hat entirely on it. Our goal is to demystify cybersecurity and help SMBs understand threats their companies face, whether these are phishing campaigns, brute force attacks, or ransomware. We don’t just provide customers with a continuous data feed, but provide very enriched data tailored to them.”
The company has 160 people, with its head office in Ottawa, and another in London in the U.K. They also have people based across Canada, and in Australia and the U.S.
“U.S. expansion is a big focus for us now, particularly in the fourth quarter of this year,” Holland noted. He indicated that today 60% of their customers are in Canada, 20% in Europe and 20% in the U.S.
Earlier this year, Field Effect updated their channel program, specifically to make it more appealing to MSPs.
“Our Go-to-Market is a combination of direct, VARs, which include Telus, and traditional MSPs,” Holland said. “Our Go-to-Market strategy has three teams all working to improve them in parallel. We do see a lot of promise in the MSP channel.”
1 comment for “Ottawa cyber security firm Field Effect detects Windows vulnerabilities giving kernel-level access”