Security researchers Mateusz Jurczyk and Sergei Glazunov of Google Project Zero recently disclosed a zero-day kernel flaw in Windows, known as CVE-2020-17087. The team suspects that all supported Windows versions are affected, exposing users to targeted attacks. Not only is the bug being exploited in the wild, but it is also combined with a Google Chrome vulnerability, CVE-2020-15999.
This actively exploited zero-day in Chrome is a type of memory-corruption vulnerability, known as heap buffer overflow in FreeType, an open-source development library for rendering fonts included in standard Chrome distributions. The flaw was discovered by Google Project Zero’s security researcher Sergei Glazunov on October 19. The two vulnerabilities are chained together in attacks against Windows users.
CVE-2020-17087 exploited in active targeted attacks
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” the two researchers wrote.
A proof-of-concept code tested on 64-bit Windows 10 1903 is also available. However, since the affected driver, cng.sys seems to have been present since at least Windows 7, all supported versions of Microsoft’s operating system could be vulnerable.
According to Shane Huntley, Director of Google’s Threat Analysis Group confirmed, CVE-2020-17087 and CVE-2020-15999 are chained together in targeted attacks, supposedly unrelated to any US election-related targeting. How are the two vulnerabilities used in the attacks? The Chrome issue is used for entry, and once access is obtained, the Windows kernel zero-day comes in to gain administrative rights.
When is the patch for CVE-2020-17087 expected?
This month’s Patch Tuesday should address the issue. The Chrome vulnerabilities received a patch on October 21. Since the attacks are targeted, the number of affected users shouldn’t be that big. However, patching your operating system and browsers is a general security rule, so don’t underestimate its importance.