in , , , ,

Google’s Project Zero discloses Windows zeroday that’s been under active exploit

Google’s Project Zero discloses Windows 0day that’s been under active exploit
A stylized skull and crossbones made out of ones and zeroes.

Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.

In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Friday’s Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

The technical write up included a proof-of-concept code people can use to crash Windows 10 machines.

The Chrome flaw that was combined with CVE-2020-117087 resided in the FreeType font rendering library that’s included in Chrome and in applications from other developers. The FreeType flaw was fixed 11 days ago. It’s not clear if all programs that use FreeType have been updated to incorporate the patch.

Project Zero said it expects Microsoft to patch the vulnerability on November 10, which coincides with that month’s Update Tuesday. Microsoft representatives didn’t immediately respond to a request for comment, and I couldn’t locate any posts showing what steps Windows users can take until a fix becomes available.

Project Zero technical lead Ben Hawkes defended the practice of disclosing zerodays within a week of them being actively exploited.

The quick take: we think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it’s been used as part of an exploit chain, and the entry-point attack is fixed)

The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.

There are no details about the active exploits other than it’s “not related to any US election related targeting.”

What do you think?

Apple launches the Apple One subscription bundle, with three tiers ranging from the $14.95 Individual tier to the $29.95 Premier tier (Jon Porter/The Verge)

Apple launches the Apple One subscription bundle, with three tiers ranging from the $14.95 Individual tier to the $29.95 Premier tier

The scooter battle for New York City is on – TechCrunch

The scooter battle for New York City is on