Google’s Project Zero states that hackers are actively exploiting a Windows zero-day that will likely not be patched for nearly two weeks.
In line with the longstanding guidelines, the Google Vulnerability Research Group gave Microsoft seven days to fix the vulnerability as it is currently being actively exploited. Typically, Project Zero reveals vulnerabilities after 90 days or when a patch becomes available, whichever comes first.
CVE-2020-117087 allows attackers to elevate system privileges while the vulnerability is being pursued. Attackers combined one exploit for this with a separate one that targeted a
. The former allowed the latter to escape a security sandbox so the latter could run code on vulnerable computers.Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh
— Ben Hawkes (@benhawkes) October 20, 2020
CVE-2020-117087 stems from a buffer overflow in a part of Windows that is used for cryptographic functions. The input / output controls can be used to route data into a part of Windows that enables code execution. Friday’s post indicated that the bug was in Windows 7 and Windows 10, but didn’t reference any other versions.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a device CNG device to programs in user mode and supports a large number of IOCTLs with non-trivial input structures,” said the article by Project Zero on Friday. “It is a locally accessible attack surface that can be used to escalate permissions (e.g. sandbox escape).”
The technical description included proof-of-concept code that users can use to crash Windows 10 computers.
The Chrome bug combined with CVE-2020-117087 was in the FreeType font rendering library that is included in Chrome and other developers’ applications. The FreeType bug was fixed 11 days ago. It’s not clear if all programs using FreeType have been updated to incorporate the patch.
Project Zero expects Microsoft to fix the vulnerability on November 10th, which coincides with this month’s update Tuesday. In a statement, Microsoft employees wrote:
Microsoft has a customer responsibility to investigate reported security issues and update affected devices to protect customers. While we are working to meet all researchers’ disclosure deadlines, including short-term deadlines like this scenario, developing a security update is a balance between timeliness and quality. Our primary goal is to ensure maximum customer protection with minimal customer disruption.
A representative said that Microsoft has no evidence that the vulnerability is being widely exploited and that the flaw cannot be exploited to compromise cryptographic functionality. Microsoft has not provided information about steps Windows users can take until a fix is available.
Project Zero Technical Leader Ben Hawkes
the practice of disclosing zero days within one week of their active use.The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.
— Ben Hawkes (@benhawkes) October 30, 2020
The quick decision: We believe that sharing these details has a defensive benefit and that opportunistic attacks that use these details up to the released patch are reasonably unlikely (previously it was used as part of an exploit chain and entry point attack) repaired)
The short deadline for in-the-wild exploits also seeks to incentivize out-of-band patches or other remedial actions that are urgently developed / shared. You can expect these improvements over a longer period of time.
There are no details of the active exploits other than that they are “unrelated to US election targets”.
These were the details of the news Google’s Project Zero announces Windows 0day, which is currently actively used for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.