Microsoft has confirmed a high-severity Windows driver bug detailed by Google Project Zero last month. According to the report, the zero-day vulnerability (tracked as CVE-2020-17087) affects all versions of Windows going back to at least Windows 7 and, is already being actively exploited in the wild. The researchers also announced that the flaw was being exploited in tandem with a Google Chrome flaw (CVE-2020-15999) that has since been patched.
According to GPZ, CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver and, “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)”. What that means in essence is that it might allow an attacker to trigger a pool-based buffer overflow, leading to a system crash, thereby enabling possible exploitation. “The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue“, said the Project Zero team.
To demonstrate possible attack scenarios, the researchers used a proof-of-concept exploit that they say works on an up-to-date build of Windows 10 1903 (64-bit). According to them, Microsoft will patch the bug through its next Patch Tuesday update on November 10. The vulnerability is apparently not being used for any US election-related attacks, which is why the company says it is looking to balance ‘timeliness and quality’ while rolling out a fix.
It is worth noting that the GPZ is getting some flak from sections of the cyber-security community for disclosing the bug just a week after reporting it to Microsoft, but according to Ben Hawkes, one of the researchers, they did it because “(further) attacks using these details between now and the patch being released is reasonable unlikely”.