WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild

Google has disclosed details of a new zero-day privilege escalation flaw in the Windows operating system that’s being actively exploited in the wild.

The elevation of privileges (EoP) vulnerability, tracked as CVE-2020-17087, concerns a buffer overflow present since at least Windows 7 in the Windows Kernel Cryptography Driver (“cng.sys”) that can be exploited for a sandbox escape.

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” Google’s Project Zero researchers Mateusz Jurczyk and Sergei Glazunov noted in their technical write-up.

The security team made the details public following a seven-day disclosure deadline because of evidence that it’s under active exploit.

Project Zero has shared a proof-of-concept exploit (PoC) that can be used to corrupt kernel data and crash vulnerable Windows devices even under default system configurations.

What’s notable is that the exploit chain requires linking CVE-2020-17087 with another Chrome browser zero-day (CVE-2020-15999) that was fixed by Google last week.

The Chrome zero-day involves a heap buffer overflow in the Freetype font library to run malicious code in the browser, but the newly revealed Windows zero-day makes it possible for an attacker to break out of Chrome’s sandbox protections and run the code on Windows — also called a sandbox escape.

Stating that the exploitation is “not related to any US election-related targeting,” Project Zero’s Ben Hawkes said a patch for the flaw is expected to be released by Microsoft on November 10.

Hawkes also defended the practice of disclosing zero-days within a week of them being actively exploited.

“We think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonably unlikely (so far it’s been used as part of an exploit chain, and the entry-point attack is fixed),” he said.

“The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period,” Hawkes added.

Cyber Security

Articles You May Like

Apple Led Smartphone Market in Holiday Quarter Amid Largest-Ever Decline in Smartphone Demand: IDC
World of Warcraft China Shut Down Cuts Off Millions of Gamers
ChatGPT Writes Essays on Constitutional Law, Taxation, Passes Exams at US Law School
Noise Buds Combat TWS With Up to 36 Hours Battery Life, Quad Mic ENC Launched in India: Details
Jio Launches 5G Services in Seven Northeast Cities, Network Now Live in 191 Cities in India

Leave a Reply

Your email address will not be published. Required fields are marked *