New Windows flaws allow the removal of 2FA
Microsoft has issued patches for the issues.
Following in the wake of Patch Tuesday, three additional flaws with Microsoft products have been revealed, two of which could remove the two-factor authentication (2FA) protocol from any Windows products.
The vulnerabilities were found in Microsoft ASP.NET and Microsoft Visual Studio. In both cases a remote user could conduct a cross-site request forgery attacks that would allow the removal of 2FA. Essentially the attacker uploads malware to the victim though a web page or malicious URL which removes the phone number associated with the 2FA with that account making it inoperative. Password authentication is not affected.
The third flaw impacts Windows 2008 R2 and 2012 R2. A vulnerability was found in Windows Network Policy Server allowing a remote user to block Radius authentication on the targeted system. This is done by sending specially crafted username strings to the target network policy server to prevent Remote Authentication Dial-In User Service.
Microsoft has issued patches for all three vulnerabilities.