Google’s Project Zero discloses Windows 0day that’s been under active exploit

By | October 30, 2020
A stylized skull and crossbones made out of ones and zeroes.

Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.

In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. Friday’s post indicated the flaw is in Windows 7 and Windows 10, but made no reference to other versions.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Friday’s Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

The technical write up included a proof-of-concept code people can use to crash Windows 10 machines.

The Chrome flaw that was combined with CVE-2020-117087 resided in the FreeType font rendering library that’s included in Chrome and in applications from other developers. The FreeType flaw was fixed 11 days ago. It’s not clear if all programs that use FreeType have been updated to incorporate the patch.

Project Zero said it expects Microsoft to patch the vulnerability on November 10, which coincides with that month’s Update Tuesday. In a statement, Microsoft officials wrote:

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

A representative said that Microsoft has no evidence the vulnerability is being widely exploited and that the flaw can’t be exploited to affect cryptographic functionality. Microsoft didn’t provide any information on steps Windows users can take until a fix becomes available.

Project Zero technical lead Ben Hawkes defended the practice of disclosing zerodays within a week of them being actively exploited.

The quick take: we think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it’s been used as part of an exploit chain, and the entry-point attack is fixed)

The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.

There are no details about the active exploits other than it’s “not related to any US election related targeting.”