Google’s Project Zero team known to discover security threats has disclosed a zero-day vulnerability in Windows that it believes affects versions from Windows 7 all the way to Windows 10 version 1903 - which was the version that the team tested its code on. The company’s post says that it has evidence of active exploits, which could allow attackers to execute code with elevated permissions.
What’s interesting is that the vulnerability that is tracked with the label CVE-2020-17087, coupled with another actively exploited Chrome zero-day vulnerability disclosed last week (CVE-2020-15999), performs what is known as a sandbox escape. This is where the malicious actor leverages these two bugs to execute code on a compromised target by escaping the secure environment of the browser, explains ZDNet’s Catalin Cimpanu.
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk— Ben Hawkes (@benhawkes) October 30, 2020
The disclosure post also adds that Microsoft will be patching this vulnerability with the upcoming Patch Tuesday updates on November 10. However, the fixes for Windows 7 versions will only make it to users that have subscribed for extended security updates (ESU), so not all users will be able to patch their Windows 7 systems. Since the bug was being actively exploited, the search giant’s team provided Microsoft with seven days to patch the bug before disclosing it publicly today.
Google has already patched the Chrome vulnerability with stable build version 86.0.4240.1111. As for the Windows bug, the vulnerability lies in the Windows Kernel Cryptography Driver (cng.sys), which the Project Zero team explains in detail in the post here. The company has also attached a proof-of-concept code to show how the exploit could crash the system.
Additionally, Google’s Threat Analysis Group direction Shane Huntly has confirmed that the exploit is not related to any state-sponsored attack on the upcoming U.S. election.