CVE-2020-17008 error and botch with Windows 10 patch

Google Project Zero is a division of security experts of the Internet giant that was launched in July 2014 and that is dedicated to locating zero-day attacks in different softwares. Broadly speaking, these bugs are privately reported to the manufacturer and made public once the patch has been released. However, if 90 days go by without a patch being released, they are also released to “pressure” the manufacturer to release a patch.

Microsoft didn’t fix a problem in 6 months

All of this brings us back to September 24 of this year when Google Project Zero published all the details about an elevation of privilege vulnerability that exploited a bug in the spooler API. splwow64.exe. Microsoft had known about the error since December 2019, but they spent 6 months without doing anything. Finally, the existence of the security flaw was published.

If the vulnerability is successfully exploited, an attacker can manipulate the splwow64.exe process to execute arbitrary code on the system, being able to install malicious programs capable of viewing, changing, deleting data or creating new user accounts. Of course, it is necessary that the attacker is logged into the system for its success.

Finally, Microsoft released a patch to fix the problem, but nothing could be further from the truth. From Google they explain that “ The vulnerability still exists, only the method of exploiting it has changed”. In fact, they confirm that they limited themselves to changing “pointers to offsets”. This still allows the bug to be exploited.

Now that vulnerability has been cataloged with the code CVE-2020-17008 and we are expected to have a patch on January 12, 2021. The problem is that Google Project Zero has even shown a proof of concept of how to take advantage of it, so let’s hope it is not too late; and, above all, that it is not a new botch.