Google discloses zero-day flaw in Windows that’s being used in the wild
A bug in the Windows kernel could be exploited to elevate an attacker's code with additional permissions, Google's Project Zero team warns
Google’s Project Zero team has released details of a critical vulnerability in Windows. The security researchers said that hackers are actively exploiting the vulnerability. Microsoft will reportedly issue a patch to fix the vulnerability by November 10.
What is the vulnerability?
IDed as CVE-2020-117087, the vulnerability allows hackers to escalate system privileges. Hackers also leveraged another a Chrome zero-day, tracked as CVE-2020-15999, to conduct the attacks.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” said Google in a post.
Who is affected?
Google’s Project Zero team confirmed that the vulnerability CVE-2020-17087 affects Windows 7 and Windows 10 users.
Why Google disclosed it?
Google’s Project Zero team periodically discloses vulnerabilities. The team also informs the affected company to fix the security flaw.
In this case, Google gave Microsoft a seven-day deadline to fix the security flaw as it was being used in the wild.
Traditionally, the security team gives at least a 90-day deadline to fix the flaw. It publishes the vulnerability once the patch is available or the deadline has expired, whichever happens first.
What is Microsoft doing?
According to Project Zero’s technical lead Ben Hawkes, Microsoft has planned to fix the security flaw by November 10. He also clarified that this was targeted exploitation and not related to any US election-related targeting.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.— Ben Hawkes (@benhawkes) October 30, 2020
Techcrunch, however, reports Microsoft has not confirmed the date.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company said in a statement.