Google’s Project Zero discloses under exploit Windows Zero-day

 

Google Project Zero team have disclosed another zero-day elevation of privileges (EoP) vulnerability found in the Windows kernel and actively exploited in targeted attacks. This is buffer overflow bug that exists in the Windows Kernel Cryptography Driver (cng.sys).

This buffer overflow is tracked as CVE-2020-117087, which allows attacker to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines. 

The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. The PoC was tested on an up-to-date build of Windows 10 1903 (64-bit) that can use to crash Windows 10 machines, the vulnerability is believed to be present since at least Windows 7.

Last week, Google also fixed an actively exploited zero-day vulnerability found by Project Zero researchers in the Google Chrome web browser . The Chrome flaw combined with CVE-2020-117087 resided in the FreeType font rendering library that’s included in Chrome and in applications from other developers.

Project Zero said it expects Microsoft to patch the vulnerability on November 10, which coincides with that month’s Update Tuesday. 

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.

— Ben Hawkes (@benhawkes) October 30, 2020

Regarding the issue, Microsoft comments -

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

 According to Ben Hawkes, technical team lead of Google's Project Zero security research team, the ongoing attacks that exploit CVE-2020-17087 in the wild are not focused on targets associated with the U.S. election.

"We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley, that this is targeted exploitation and this is not related to any US election-related targeting."