Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Google’s Zero project reveals Windows 0day, which has been in active use

Google’s Zero project reveals Windows 0day, which has been in active use

Stylized skull and crossbones made of ones and zeros.

The Google Zero project says that hackers are actively using Windows zeroday, which will probably not be patched until almost two weeks from now.

In line with long-standing policy, Google’s Vulnerability Research Group has given Microsoft a seven-day deadline to address the security flaw as it is in active operation. Typically, Project Zero detects vulnerabilities after 90 days or when there is a fix, whichever comes first.


17087, as the vulnerability is tracked, allows attackers to escalate system privileges. The attackers combined an exploit for it with a separate, recently fixed bug in Chrome. The first allowed the second to escape the security sandbox so that the second could execute code on vulnerable machines.

CVE-2020-117087 results from a buffer overflow in a portion of Windows used for cryptographic functions. Its I / O controllers can be used to transfer data to a part of Windows that allows code execution. Friday’s post said the flaw was in Windows 7 and Windows 10, but did not mention other versions.

“The Windows kernel cryptography driver (cng.sys) exposes the Device CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Project Zero said in a Friday post. “It is a locally accessible surface for attack that can be used to increase privileges (such as escaping from a sandstone).”

Technical writing included concept proof code that people could use to crash Windows 10 machines.

The disadvantage of Chrome, which was combined with CVE-2020-117087, was in the FreeType font rendering library, which is included in Chrome and third-party applications. The flaw in FreeType was fixed 11 days ago. It is not clear whether all programs that use FreeType have been updated to include the patch.

Project Zero said it expects Microsoft to fix the vulnerability on Nov. 10, coinciding with Tuesday’s update on Tuesday. In a statement, Microsoft employees wrote:

Microsoft is committed to customers investigating reported security issues and updating affected devices to protect customers. Although we work to meet the disclosure deadlines of all researchers, including short-term deadlines, as in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with a minimum of customer interruption.

A spokesman said Microsoft had no evidence that the vulnerability was widely used and that the flaw could not be used to affect cryptographic functionality. Microsoft has not provided any information about the steps that Windows users can take until a fix is ​​available.

Project Zero Technical Manager Ben Hawks defended the practice of revealing zero days within a week of their active operation.

Quick undertaking: we believe that there is a defensive utility to share these details and that the opportunistic attacks using these details from now until the patch is released are reasonably small )

The short deadline for wildlife exploitation also seeks to stimulate extra-zone patches or other mitigation measures that are being developed / shared as a matter of urgency. These improvements that you can expect to see in the long run.

There are no details about the active feats, except that it “is not related to any directions related to US elections.”

Source link