Increasingly prevalent cyberattacks exploiting Windows Common Log File System vulnerabilities have prompted Microsoft to conduct testing for a mitigation enabling the identification of unauthorized CLFS logfile alterations, which would be integrated into the Windows Insiders Canary channel, according to SecurityWeek.
Appending logfiles with Hash-based Message Authentication Codes, which are generated through the hashing of input data and a secret cryptographic key, would help CLFS determine logfiles subjected to modifications not made by the CLFS driver, noted Microsoft, which added that valid HMACs could only be produced with a cryptographic key only accessible by the system and admins. "Rather than continuing to address single issues as they are discovered, [we] worked to add a new verification step to parsing CLFS logfiles, which aims to address a class of vulnerabilities all at once. This work will help protect our customers across the Windows ecosystem before they are impacted by potential security issues," said Microsoft software engineer Brandon Jackson, who noted the mitigation's usage of a Merkle tree to ensure efficiency in processing large files.
