On Tuesday, Tavis Ormandy of Google’s Project Zero released an exploit kit called
ctftool which uses and abuses Microsoft’s Text Services Framework in ways that can effectively get anyone
system that is—on any unpatched Windows 10 system they’re able to log into. The patches for this vulnerability—along with several other serious issues—went out in this week’s Patch Tuesday update.
We independently verified Ormandy’s proof-of-concept, and it’s precisely what it says on the tin: follow the directions and you get an
nt authority\system privileged command prompt a few seconds later. We also independently verified that applying KB4512508 closed the vulnerability. After applying the August security updates, the exploit no longer works.