Google’s project zero announced that hackers have been exploiting an active Windows 10 zero-day that is not likely to be patched soon. The patch will probably arrive in two weeks. Google’s longstanding policy about vulnerability involves giving Microsoft a seven-day deadline to fix the flaw, which is being actively exploited.
Typically, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available. Whichever comes first is what they will do.
CVE-2020-117087, as the vulnerability is named, allows attackers to give themselves admin privileges. Hackers were combining it with another vulnerability targeting a recently fixed vulnerability in Chrome.
Combining vulnerabilities for attacks
The Chrome vulnerability allowed the other exploit to escape a security sandbox and execute its code on vulnerable machines. CVE-2020-117087 comes from a buffer overflow in a part of Windows 10 that is used for cryptographic functions.
The input/output controllers can be used to tunnel data into a part of Windows that then allows the code to execute. The post about the vulnerability indicates that the flaw is present in Windows 7 and 10 but did not refer to other versions.
The post said that the Windows Kernel Cryptography Driver exposes \Device\CNG device to user-mode programs and supports several IOCTLs with non-trivial input structures.
Fixes are on the way
Combining these factors makes a locally accessible attack surface that hackers can use to exploit privilege escalation like escaping sandboxes. In the post, there was a proof-of-concept that people could use to crash Windows machines.
The Chrome flaw and the CVE-2020-117087 resided in the FreeType font rendering library included in Chrome and apps from other developers. The FreeType flaw was fixed about two weeks ago.
It is not immediately apparent whether all programs using FreeType have been updated to patch the flaw. By November 10, Project Zero expects Microsoft to have fixed the vulnerability.