Your hacker Blog

Google discloses unpatched Windows zero-day exploited in the wild

Google researchers disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation.

Security researchers from Google have disclosed a zero-day vulnerability in the Windows operating system, tracked as CVE-2020-17087, that is currently under active exploitation.

Ben Hawkes, team lead for Google Project Zero team, revealed on Twitter that the vulnerability was chained with another Chrome zero-day flaw, tracked as CVE-2020-15999, that Google recently disclosed.

In addition to last week’s Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk— Ben Hawkes (@benhawkes) October 30, 2020
Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh— Ben Hawkes (@benhawkes) October 20, 2020Google researchers expect a patch for this zero-day flaw to be available on November 10. The Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), confirmed that the vulnerability was exploited in targeted attacks that are not related to the forthcoming US election.

Google did not provide info on the attackers that have already exploited the flaw, but experts speculate that they were nation-state actors.

The Chrome zero-day is a sandbox escape issue, it allows attackers to escape Chrome’s secure container and run code on the underlying operating system.

“We have evidence that the following bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline.” reads Google’s advisory.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

The Google Project Zero team notified Microsoft last week and gave the company seven days to address the vulnerability, but unfortunately, Microsoft has yet to fix it.

The vulnerability affects all Windows versions between Windows 7 and the most recent Windows 10 release.

Google researchers also published a proof of concept code to exploit this vulnerability.

In March 2019, Google disclosed that that threat actors were chaining a Chrome zero-day (CVE-2019-5786) with a Windows zero-day (CVE-2019-0808) in attacks in the wild.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Windows zero-day)

The post Google discloses unpatched Windows zero-day exploited in the wild appeared first on Security Affairs.