Initially discovered by security researcher Michael Hanselmann, the problem involved the Go Function in hcsshim. Specifically, an unsanitized input opens the door for hackers to run arbitrary malicious code. Of course, they would need the know how to do this, but would gain system access with the skills. With access to Windows Host, attackers could remove and replace files, or even create new ones. Microsoft was first told about the issue in February. Since then, the company has been working on a fix for the problem. That patch was rolled out to GitHub, where it is now available for download. We are not sure why the company did not wait until Patch Tuesday next week, but hey ho. At the time, Microsoft was adamant even with the vulnerability an exploit was unlikely. The company explained the situation in the CVE-2018-8115 security bulletin it published: “A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image,” Microsoft says in the security advisory. “To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.”
Fix
With the new patch, Microsoft explains Windows Host has changed the way it validates input from container images. In other words, the service now blocks malicious code from loading onto Windows. No technical information has been provided. We won’t have to wait long as Hanselmann says he will post an in-depth description and proof of exploit for the flaw on May 9. He adds this is part of an agreement he has with Microsoft’s security team.