قالب وردپرس درنا توس
Home / Technology / Project Zero of Google revealed Windows 0day is being actively exploited

Project Zero of Google revealed Windows 0day is being actively exploited



A stylized skull and crossbones created from the zeros and zeros.

Project zero by Google says that hackers have been actively exploiting Windows zeroday without the possibility of being patched until almost two weeks from now.

In keeping with the longstanding policy, Google’s vulnerability research team has given Microsoft seven days to fix the security bug as it is being actively exploited. Typically, Project Zero discloses security vulnerabilities 90 days after or when a patch is available, whichever comes first.

CVE-2020-1

17087, when the vulnerability is tracked, allows attackers to upgrade the system’s privileges. Attackers are combining an exploit for it with a separate exploit that targets a recently fixed vulnerability in Chrome. The former allows the latter to escape from the secure sandbox so that the latter can execute code on vulnerable machines.

CVE-2020-117087 originates from a buffer overflow issue in the part of Windows that is used for cryptographic functions. Its input / output controller can be used to transfer data into a part of Windows that allows code execution. Friday’s post pointed out that this vulnerability is in Windows 7 and Windows 10, but not related to other versions.

“Windows Kernel Cryptography Driver (cng.sys) shows the device Device CNG with programs in user mode and supports multiple IOCTLs with non-trivial input structures,” post on Project Zero on Friday said. “It forms a locally accessible attack surface that can be exploited for privilege upgrades (such as sandbox exit).”

The technical log includes a proof of concept code that people can use to crash Windows 10 machines.

The Chrome vulnerability associated with CVE-2020-117087 resides in the FreeType font rendering library included in Chrome and in other developer apps. The FreeType vulnerability was fixed 11 days ago. It’s not clear if all of the programs that use FreeType have been updated to incorporate the patch.

Project Zero said it hopes Microsoft will patch the vulnerability on November 10, coinciding with that month’s Tuesday update. In a statement, Microsoft officials wrote:

Microsoft has a commitment to customers to investigate reported security issues and to update the affected devices to protect customers. While we work to meet all the researchers’ disclosure deadlines, including the short-term as in this case, developing security updates is a tradeoff between Timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

A representative said Microsoft has no evidence of the vulnerability being widely exploited and that the vulnerability cannot be exploited to affect cryptographic functionality. Microsoft did not provide any information about the steps Windows users can take until a fix is ​​available.

Project Zero technical lead Ben Hawkes defended the revelation of the peaks within a week after they were actively mined.

The quick way: we think there is a defensive utility for sharing these details, and chances that attacks using these details from now until the patch release are reasonably unlikely ( so far it was used as part of the mining chain and the entry point attack is fixed)

The short term for native mining also tries to encourage out-of-scope patches or other mitigation measures that are being urgently developed / shared. Improvements that you can expect to see over a longer period of time.

There are no details on the active exploit other than that it is “unrelated to any US election-related targeting”.




Source link