Google’s Project Zero announces Windows 0day, which is currently actively used

Google’s Project Zero states that hackers are actively exploiting a Windows zero-day that will likely not be patched for nearly two weeks.

In line with the longstanding guidelines, the Google Vulnerability Research Group gave Microsoft seven days to fix the vulnerability as it is currently being actively exploited. Typically, Project Zero reveals vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

CVE-2020-117087 allows attackers to elevate system privileges while the vulnerability is being pursued. Attackers combined one exploit for this with a separate one that targeted a

Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh

— Ben Hawkes (@benhawkes) October 20, 2020

. The former allowed the latter to escape a security sandbox so the latter could run code on vulnerable computers.

CVE-2020-117087 stems from a buffer overflow in a part of Windows that is used for cryptographic functions. The input / output controls can be used to route data into a part of Windows that enables code execution. Friday’s post indicated that the bug was in Windows 7 and Windows 10, but didn’t reference any other versions.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a device CNG device to programs in user mode and supports a large number of IOCTLs with non-trivial input structures,” said the article by Project Zero on Friday. “It is a locally accessible attack surface that can be used to escalate permissions (e.g. sandbox escape).”

The technical description included proof-of-concept code that users can use to crash Windows 10 computers.

The Chrome bug combined with CVE-2020-117087 was in the FreeType font rendering library that is included in Chrome and other developers’ applications. The FreeType bug was fixed 11 days ago. It’s not clear if all programs using FreeType have been updated to incorporate the patch.

Project Zero expects Microsoft to fix the vulnerability on November 10th, which coincides with this month’s update Tuesday. In a statement, Microsoft employees wrote:

Microsoft has a customer responsibility to investigate reported security issues and update affected devices to protect customers. While we are working to meet all researchers’ disclosure deadlines, including short-term deadlines like this scenario, developing a security update is a balance between timeliness and quality. Our primary goal is to ensure maximum customer protection with minimal customer disruption.

A representative said that Microsoft has no evidence that the vulnerability is being widely exploited and that the flaw cannot be exploited to compromise cryptographic functionality. Microsoft has not provided information about steps Windows users can take until a fix is ​​available.

Project Zero Technical Leader Ben Hawkes

The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.

— Ben Hawkes (@benhawkes) October 30, 2020

the practice of disclosing zero days within one week of their active use.

The quick decision: We believe that sharing these details has a defensive benefit and that opportunistic attacks that use these details up to the released patch are reasonably unlikely (previously it was used as part of an exploit chain and entry point attack) repaired)

The short deadline for in-the-wild exploits also seeks to incentivize out-of-band patches or other remedial actions that are urgently developed / shared. You can expect these improvements over a longer period of time.

There are no details of the active exploits other than that they are “unrelated to US election targets”.