You can now find Cyber Kendra on Google News | Telegram

Google’s Project Zero discloses under exploit Windows Zero-day

Windows 0day under active exploit, Hack Windows with zeroday exploit


Google Project Zero team have disclosed another zero-day elevation of privileges (EoP) vulnerability found in the Windows kernel and actively exploited in targeted attacks. This is buffer overflow bug that exists in the Windows Kernel Cryptography Driver (cng.sys).

This buffer overflow is tracked as CVE-2020-117087, which allows attacker to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines. 

The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. The PoC was tested on an up-to-date build of Windows 10 1903 (64-bit) that can use to crash Windows 10 machines, the vulnerability is believed to be present since at least Windows 7.

Last week, Google also fixed an actively exploited zero-day vulnerability found by Project Zero researchers in the Google Chrome web browser . The Chrome flaw combined with CVE-2020-117087 resided in the FreeType font rendering library that’s included in Chrome and in applications from other developers.

Project Zero said it expects Microsoft to patch the vulnerability on November 10, which coincides with that month’s Update Tuesday. 

Regarding the issue, Microsoft comments -

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

 According to Ben Hawkes, technical team lead of Google's Project Zero security research team, the ongoing attacks that exploit CVE-2020-17087 in the wild are not focused on targets associated with the U.S. election.

"We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley, that this is targeted exploitation and this is not related to any US election-related targeting."

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.