Google’s Project Zero discloses Windows 0day that’s been under active exploit

[Karlston]

Google’s Project Zero discloses Windows 0day that’s been under active exploit

Security flaw lets attackers escape sandboxes designed to contain malicious code.

Enlarge

Getty Images

23 with 20 posters participating

Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.

 

In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

 

CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

 

CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. Friday's post indicated the flaw is in Windows 7 and Windows 10, but made no reference to other versions.

 

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Friday’s Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

 

The technical write up included a proof-of-concept code people can use to crash Windows 10 machines.

 

The Chrome flaw that was combined with CVE-2020-117087 resided in the FreeType font rendering library that’s included in Chrome and in applications from other developers. The FreeType flaw was fixed 11 days ago. It’s not clear if all programs that use FreeType have been updated to incorporate the patch.

 

Project Zero said it expects Microsoft to patch the vulnerability on November 10, which coincides with that month’s Update Tuesday. In a statement, Microsoft officials wrote:

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

A representative said that Microsoft has no evidence the vulnerability is being widely exploited and that the flaw can't be exploited to affect cryptographic functionality. Microsoft didn't provide any information on steps Windows users can take until a fix becomes available.

 

Project Zero technical lead Ben Hawkes defended the practice of disclosing zerodays within a week of them being actively exploited.

The quick take: we think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it's been used as part of an exploit chain, and the entry-point attack is fixed)

 

The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.

There are no details about the active exploits other than it’s “not related to any US election related targeting.”

 

 

Google’s Project Zero discloses Windows 0day that’s been under active exploit

 

[steven36]

Google Chrome  is always under  active  exploit by Koren Hackers Trend Micro reported about it why is it Google only finds  stuff in other peoples software but  don't find stuff  in there  own software  .. Meanwhile Google  been doing this to Apple , Microsoft  and Linux  for years. It kind of dangerous on  closed source  software were they  patch slow  to tell even more hackers  about it even if it is in the wild  many windows exploits have been used in multiple versions of malware .💀

 

Conclusions
The Operation Earth Kitsune campaign remains very active and still relatively unknown due to the
implementation of various techniques, such as security software checks during malware deployment,
that are designed to hide the threat actors orchestrating the campaign.

We believe that a very capable group is behind the campaign, given the samples’ design and the number
of deployed vectors. All compromised websites follow a common pattern in terms of the web tools used
and the contextual content they contain. This relation is further backed by the commonalities in the
organization types and the maintenance of the initial vectors that are deployed from the same related
websites.

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf

[caraid]

11 hours ago, steven36 said:

Google Chrome  is always under  active  exploit by Koren Hackers Trend Micro reported about it why is it Google only finds  stuff in other peoples software but  don't find stuff  in there  own software  .

 

Very good observation. Remember the Christian Bible's admonition which states "And why beholdest thou the mote that is in thy brother's eye, but considerest not the beam that is in thine own eye?" (King James Version, Matthew 7:3)

 

It's for commercial reasons that Google does so.

 

11 hours ago, steven36 said:

We believe that a very capable group is behind the campaign, given the samples’ design and the number
of deployed vectors.

 

No prizes for guessing which country supplies the tools and methods of implanting malware. Both South Korea and Japan are staunch allies of the USA. They have been since the end of WWII.