Google Project Zero Discloses Nasty Windows 0-Day Security Exploit Already In The Wild
Google’s Project Zero
team, which is tasked with discovering 0-day vulnerabilities, has uncovered an exploit in the Windows
kernel that can lead to sandbox escape or privilege escalation. The bug, given CVE-2020-17087, is of the buffer overflow type in the Windows Kernel Cryptography Driver (CNG.sys) and is being actively exploited. Thankfully, this exploit is targeted and is not related to any U.S. election hacking, which could become more prevalent in the coming days.
Last week, the Project Zero team discovered
an exploit in Google
Chrome and Chrome OS. Around the same time, they found the Windows Kernel bug, and it was “subject to a 7-day disclosure deadline.” It was subject to this deadline because the exploit was being used in the wild. This means Microsoft received a notice before the public did, but in short order as anyone can be targeted.
As for using the exploit, it works by using a function in the Windows Kernel Cryptography Driver (CNG.sys) that puts a number into a buffer that is too small and then converting it to hexadecimal from binary. The researchers claim that they tested the bug on Windows 10, but it “is believed to be present since at least Windows 7.” After running the exploit, system crashes can occur, but the exploit can open doors for privilege escalation or sandbox escape. The Project Zero team showed example psuedo-code on the report
that shows show an attack could be done.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
Ben Hawkes, Project Zero technical lead, tweeted that a patch for this issue will come on November 10th. In the same tweet, he also confirmed that this exploit has nothing to do with election hacking threat during the election season. Hopefully, this will not become a widespread exploit; however, users need to be prepared to download the Microsoft patch as soon as possible. Any sort of vulnerability, even ones that are “targeted,” still can be dangerous.