The Project Zero team privately shared details of the vulnerability with Microsoft a little over a week ago, but now that it is actively being used, the company has gone public. The zero-day bug is tracked as CVE-2020-117087 and will likely not be fixed by Microsoft for a few weeks.
A post on the “Project Zero” page explains the following: “The Windows kernel cryptographic driver (cng.sys) exposes a device CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures that can be attacked by the escalation of authorizations can be exploited (e.g. sandbox escape) “.
The Project Zero team made Microsoft aware of the vulnerability on October 22nd. But now it says, “We have evidence that the following bug is used in the wild. Therefore, this error is subject to a 7-day disclosure period. ”
Project Zero’s Ben Hawkes took to Twitter to say:
In a statement, Microsoft responded to the disclosure by saying:
Microsoft has a customer responsibility to investigate reported security issues and update affected devices to protect customers. While we are working to meet all researchers’ disclosure deadlines, including short-term deadlines like this scenario, developing a security update is a balance between timeliness and quality. Our primary goal is to ensure maximum customer protection with minimal customer disruption.
Credit: Primakov / Shutterstock
These were the details of the news Google provides details of a security vulnerability in the Windows Kernel... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.