According to the latest news, Microsoft has confirmed a high severity Windows driver bug which was detailed by Google Project Zero last month. As per the report, the zero day vulnerability dubbed as CVE 2020 17087 affects all versions of Windows from Windows 7 onwards. The researchers announced that the flaw was being exploited in tandem with a Google Chrome flaw dubbed as CVE 2020 15999.
Microsoft said that it is a vulnerability in the Windows Kernel Cryptography Driver. The Project Zero team said, “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)”.
What that means in essence is that it might allow an attacker to trigger a pool-based buffer overflow, leading to a system crash, thereby enabling possible exploitation. “The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue.“
It seems that in order to demonstrate possible attack scenarios, the researchers used a proof of concept exploit that works on an up to date build of Windows 10 1903 (64-bit). Microsoft will be soon coming out with a patch for this vulnerability through its next Patch Tuesday update on 10th November.
Microsoft confirmed that the said vulnerability is not being used for any US election-related attacks. The company further said that it is looking to balance ‘timeliness and quality’ while rolling out the patch.
On the other hand, Google Project Zero is getting some flak from sections of the cybersecurity community for disclosing the bug but according to Ben Hawkes, one of the researchers, Google Project Zero did it because “(further) attacks using these details between now and the patch being released is reasonable unlikely”.
In addition to last week’s Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020