[ad_1]
Two weeks ago, Google fixed a vulnerability in Chrome that was under active exploitation by attackers, saying it had evidence of an exploit in the wild. Now, Google researchers have revealed an unpatched vulnerability in Windows that was being used in conjunction with the Chrome bug in some attacks.
Google’s Project Zero research team discovered both vulnerabilities and on Friday the team disclosed the details of the Windows bug (CVE-2020-17087), which is a buffer overflow in the kerney crypto driver. The flaw cannot be exploited remotely on its own, but can be used to escalate privileges once an attacker already has access to a target machine. Google researchers saw attackers use this bug in conjunction with the Chrome flaw (CVE-2020-15999) in targeted attacks.
“The Windows kernel crypto driver (cng.sys) exposes a device Device CNG to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape), ”says Project Zero’s bug report.
“We have evidence that this bug is being used in nature.”
MIcrosoft is expected to release a patch for the vulnerability on November 10.
“The vulnerability is believed to be present since at least Windows 7.”
The exploit attempts that Google has seen related to this vulnerability have been targeted attacks and not related to any attempted intrusion into the electoral infrastructure, the company said. The Project Zero team published a proof-of-concept exploit for the bug, which has likely been around since Windows 7.
“It was tested on an updated version of Windows 10 1903 (64-bit), but the vulnerability is believed to be present since at least Windows 7. A crash is easier to reproduce with Special Pools enabled for cng.sys, but even on the By default, 64kB corruption of kernel data will almost certainly crash the system shortly after running the exploit, ”the bug report says.
In late October, Project Zero researchers discovered that attackers were exploiting a previously unknown flaw in Chrome, which turned out to be a buffer overflow in the FreeType font processing engine that Chrome uses. Google patched the vulnerability on October 20 for Chrome desktop users. But two days later, the researchers filed a separate bug report for the Windows kernel vulnerability that was being used in conjunction with the Chrome flaw. Both vulnerabilities were subject to Project Zero’s more aggressive seven-day disclosure deadline, which applies to bugs that are actively exploited.
