Google reveals details of Windows zero-day vulnerability

Hackers are exploiting the vulnerability, in combination with a separate Chrome bug, to launch attacks

Researchers from Google's Project Zero have revealed details of a new Windows zero-day bug that, they say, hackers are exploiting now to run malicious programmes on Windows machines to steal sensitive information.

Indexed as CVE-2020-17087, the bug affects at least Windows 7 and Windows 10, according to Google. Attackers can use the flaw to escalate system privileges. The vulnerability arises due to a buffer overflow in a Windows component used for cryptographic functions.

"The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures," Project Zero team said in a post.

"It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)," they added.

Google researchers have also provided a proof-of-concept (PoC) code that can be used to crash Windows 10 machines.

The researchers say that cyber criminals have been using an exploit for CVE-2020-17087, in combination with a recently fixed Chrome bug, to launch attacks.

CVE-2020-17087 enables the Chrome vulnerability (indexed as CVE-2020-15999) to bypass a security sandbox to run code on vulnerable systems. The Chrome bug was fixed by Google last week.

Shane Huntley, Google's director of threat intelligence, revealed that attacks conducted using CVE-2020-17087 were "targeted" and not related to the US presidential election.

Microsoft is expected to release a patch for the Windows zero-day bug by 10th November, according to Ben Hawkes, Project Zero's technical lead.

Because the bug is currently being exploited, Google Project Zero gave Microsoft seven days to release a patch for the flaw. Usually, Google researchers disclose bug details after 90 days or when a patch becomes available.

In a statement, Microsoft said that it was committed to "investigate reported security issues and update impacted devices to protect customers."

The company stressed that releasing a security fix for the bug demands a balance between quality and timeliness, and that their ultimate goal is to ensure that customers get maximum protection with minimal disruption.

The bug disclosure comes as Microsoft warned last week that it was still receiving reports of hackers attempting to steal domain credentials, using the Windows Zerologon security vulnerability.

Earlier in March, independent researchers disclosed details of the CVE-2020-0796 (SMBGhost) security flaw, which impacts the SMBv3 (Server Message Block 3.0) network communication protocol in some versions of Windows Server and Windows 10 operating systems.

Microsoft warned at that time that the vulnerability could enable attackers to connect to remote systems that have SMB enabled, and to execute malicious code with full privileges.