Google Project Zero Discloses Nasty Windows 0-Day Security Exploit Already In The Wild
Google’s Project Zero team, which is tasked with discovering 0-day vulnerabilities, has uncovered an exploit in the Windows kernel that can lead to sandbox escape or privilege escalation. The bug, given CVE-2020-17087, is of the buffer overflow type in the Windows Kernel Cryptography Driver (CNG.sys) and is being actively exploited. Thankfully, this exploit is targeted and is not related to any U.S. election hacking, which could become more prevalent in the coming days.
Last week, the Project Zero team discovered an exploit in Google Chrome and Chrome OS. Around the same time, they found the Windows Kernel bug, and it was “subject to a 7-day disclosure deadline.” It was subject to this deadline because the exploit was being used in the wild. This means Microsoft received a notice before the public did, but in short order as anyone can be targeted.
As for using the exploit, it works by using a function in the Windows Kernel Cryptography Driver (CNG.sys) that puts a number into a buffer that is too small and then converting it to hexadecimal from binary. The researchers claim that they tested the bug on Windows 10, but it “is believed to be present since at least Windows 7.” After running the exploit, system crashes can occur, but the exploit can open doors for privilege escalation or sandbox escape. The Project Zero team showed example psuedo-code on the report that shows show an attack could be done.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
