The security hole isn’t expected to be plugged until the forthcoming Patch Tuesday bundle of security fixes
UPDATE (November 11th, 2020): As expected, Microsoft rolled out a fix for the vulnerability in the November 2020 Patch Tuesday release.
Google’s Project Zero researchers have disclosed details about a zero-day vulnerability in Windows that they say is being exploited by attackers.
The memory-corruption flaw resides in the Windows Kernel Cryptography Driver (cng.sys) and, according to Google, “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)”.
The researchers also released proof-of-concept (PoC) code that they’d tested out on a recent version of Windows 10 (version 1903, 64-bit) and believe that the security bug could have been around since Windows 7, meaning that all versions from Windows 7 through 10 could be affected.
Per media reports, the flaw is being exploited in conjunction with another zero-day, which is indexed as CVE-2020-15999 and affects FreeType, a widely used software development library that is also part of Google Chrome.
Google reported the discovery of the newly-found bug, which is tracked as CVE-2020-17087, to Microsoft, but since it found evidence of the loophole being exploited in the wild, it opted for a short, seven-day disclosure deadline.
The patch still a few days away
Currently, the security loophole doesn’t have a patch, but Project Zero’s technical lead Ben Hawkes tweeted that they do expect one to be released on November 10th, which coincides with the upcoming Patch Tuesday.
The short deadline for in-the-wild exploit also tries to incentivize out-of-band patches or other mitigations being developed/shared with urgency. Those improvements you might expect to see over a longer term period.
— Ben Hawkes (@benhawkes) October 30, 2020
Microsoft, meanwhile, provided this statement to TechCrunch:
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
A company spokesperson also went to add that the attack seems to be quite limited and that there is no proof pointing to it being a widespread issue. The attacks are thought to be unrelated to the upcoming US presidential election.
Since the beginning of this year, Microsoft has disclosed and patched several severe bugs in Windows, including a pair of zero-days back in March and a vulnerability uncovered by the United States’ National Security Agency (NSA).