Google Project Zero details Windows active zero-day vulnerability

Researchers at Google LLC’s Project Zero have revealed a new vulnerability in Windows that allows attackers to bypass security to install malicious software.

Detailed late last month by researchers Mateusz Jurczyk and Sergei Glazunov, the zero-day or so far undiscovered vulnerability relates to an integer overflow flaw in input / output control in the kernel encryption driver in Windows. . Combined with a previously fixed flaw in Google Chrome, hackers could exploit the vulnerability to escape a security sandbox to run code on vulnerable machines.

As Ars Technica explained on Friday, the vulnerability, formally known as CVE-2020-117087, is the result of a buffer overflow in a part of Windows used for input / output drivers. Those drivers can then be used to pipe data to parts of Windows that allow code to run.

“The Windows kernel cryptography driver (cng.sys) exposes a Device CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” said Project Zero researchers. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as escape from the sandbox).”

Despite implementing a policy in January to wait 90 days before disclosing security vulnerabilities, Project Zero decided to release this vulnerability after seven days, as it is said to be under an active exploit. But Microsoft Corp., while confirming the vulnerability, said it had no evidence that it was being exploited in the wild. A patch for the vulnerability is expected on November 10 as part of Microsoft’s monthly patch release Tuesday.

The vulnerability disclosure comes as Microsoft once again warns that threat actors continue to exploit the Windows Server “Zerologon” vulnerability that it first disclosed in September. In a statement Oct. 29, Microsoft said it “has received a small number of reports from customers and others about ongoing activity that exploits a vulnerability,” what Microsoft calls Netlogon.

A patch for the Zerologon / Netlogon vulnerability was released in August.

“The continued exploitation of a vulnerability that allows attackers easy and unrestricted access to the entirety of an organization’s digital resources should come as no surprise,” Adam Laub, general manager of cybersecurity firm Stealthbits Technologies Inc., told SiliconANGLE. “Threat actors will try to discover and exploit this vulnerability as long as it continues to function.”

But he added that while sustained vulnerability does not necessarily mean negligence on behalf of the organizations that have been victimized, the most likely excuse for why they have been victimized is because they haven’t fixed the problem. “Because non-Windows or self-produced applications and resources may not be able to take advantage of secure connections through Netlogon at this time, it has certainly forced some organizations to weigh the risks between the possibility of compromise. and the certainty of service downtime, ”he said.

Image: Needpix