Google discloses Windows zero-day bug exploited in the wild

UPDATE (November 11^th, 2020): As expected, Microsoft rolled out a fix for the vulnerability in the November 2020 Patch Tuesday release.

Google’s Project Zero researchers have disclosed details about a zero-day vulnerability in Windows that they say is being exploited by attackers.

The memory-corruption flaw resides in the Windows Kernel Cryptography Driver (cng.sys) and, according to Google, “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)".

The researchers also released proof-of-concept (PoC) code that they’d tested out on a recent version of Windows 10 (version 1903, 64-bit) and believe that the security bug could have been around since Windows 7, meaning that all versions from Windows 7 through 10 could be affected.

Per media reports, the flaw is being exploited in conjunction with another zero-day, which is indexed as CVE-2020-15999 and affects FreeType, a widely used software development library that is also part of Google Chrome.

Google reported the discovery of the newly-found bug, which is tracked as CVE-2020-17087, to Microsoft, but since it found evidence of the loophole being exploited in the wild, it opted for a short, seven-day disclosure deadline.

The patch still a few days away

Currently, the security loophole doesn’t have a patch, but Project Zero’s technical lead Ben Hawkes tweeted that they do expect one to be released on November 10^th, which coincides with the upcoming Patch Tuesday.

Microsoft, meanwhile, provided this statement to TechCrunch:

“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”

A company spokesperson also went to add that the attack seems to be quite limited and that there is no proof pointing to it being a widespread issue. The attacks are thought to be unrelated to the upcoming US presidential election.

Since the beginning of this year, Microsoft has disclosed and patched several severe bugs in Windows, including a pair of zero-days back in March and a vulnerability uncovered by the United States’ National Security Agency (NSA).