Google’s Project Zero discloses Windows 0day that’s been under active exploit

reader comments

23 with 20 posters participating

Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.

In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. Friday’s post indicated the flaw is in Windows 7 and Windows 10, but made no reference to other versions.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Friday’s Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

The technical write up included a proof-of-concept code people can use to crash Windows 10 machines.

FreeType font rendering library that’s included in Chrome and in applications from other

Continue reading – Article source