Google Project Zero details active Windows zero-day vulnerability
Researchers at Google LLC’s Project Zero have disclosed a new Windows vulnerability that allows attackers to bypass security to install malicious software.
Detailed late last month by researchers Mateusz Jurczyk and Sergei Glazunov, the zero-day or heretofore undiscovered vulnerability relates to an integer overflow flaw in input/output control in the Kernel Cryptographer Driver in Windows. Combined with a previously fixed flaw in Google Chrome, hackers could exploit the vulnerability to escape a security sandbox to execute code on vulnerable machines.
As Ars Technica explained Friday, the vulnerability, formally known as CVE-2020-117087, is the result of a buffer overflow in a part of Windows used for input/output controllers. Those controllers can then be used to pipe data to parts of Windows that allow for code execution.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” the Project Zero researchers noted. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”
Despite implementing a policy in January to wait 90 days before disclosing security vulnerabilities, Project Zero decided to post this vulnerability after seven days as it is said to be under active exploit. But Microsoft Corp., while confirming the vulnerability, said it had no evidence that it was being exploited in the wild. A patch for the vulnerability is expected Nov. 10 as part of Microsoft’s monthly Patch Tuesday release.
The vulnerability disclosure comes as Microsoft is once again warning that threat actors continue to exploit the “Zerologon” Windows Server vulnerability it first disclosed in September. In a statement Oct. 29, Microsoft said that it “has received a small number of reports from customers and others about continued activity exploiting a vulnerability,” which Microsoft calls Netlogon.
A patch for the Zerologon/Netlogon vulnerability was released in August.
“The continued exploitation of a vulnerability allowing attackers easy and unfettered access to the whole of an organization’s digital resources should come as no surprise,” Adam Laub, general manager of cybersecurity firm Stealthbits Technologies Inc., told SiliconANGLE. “Threat actors will attempt to discover and exploit this vulnerability for as long as it continues to work.”
But he added that although sustained vulnerability doesn’t necessarily mean negligence on behalf of organizations that have fallen victim, the most likely excuse as to why they have fallen victim is because they have failed to patch the issue. “Because non-Windows or homegrown applications and resources may not be able to leverage secure connections via Netlogon at this time, it has undoubtedly forced some organizations to weigh the risks between the possibility of compromise and the certainty of service downtime,” he said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.