In a recent revelation, researchers from Google’s Project Zero have identified a significant vulnerability in the Windows kernel. This zero-day flaw, identified as CVE-2020-17087, is currently being exploited alongside a known issue in Google Chrome, marking a troubling development in targeted cyberattacks.
The vulnerability resides within the Windows Kernel Cryptography Driver and creates a 'locally accessible attack surface that can be exploited for privilege escalation,' according to insights from Project Zero. This means that attackers could potentially escape a secure environment, or sandbox.
Remarkably, while testing a proof-of-concept on a recent build of Windows 10, the researchers discovered that the issue may extend back to Windows 7 installations. The implications of such a long-standing vulnerability are concerning for users who have not updated their systems.
Alongside this Windows zero-day, attackers are utilizing CVE-2020-15999, which is related to a heap buffer overflow in Chrome's FreeType implementation, a commonly used font rendering library. Recently patched after being disclosed in late October, this Chrome issue is also part of the ongoing exploitation.
Career Journey
Project Zero's protocol usually involves disclosing vulnerabilities after a standard 90-day period or once a fix is available. However, in this case, they chose to reveal the flaws just seven days after notifying Microsoft due to the active exploitation observed in the wild. "We think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonably unlikely," said Ben Hawkes, the technical lead at Project Zero, defending the early disclosure.
"We think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonably unlikely,"
Remarkably, a patch for CVE-2020-17087 is expected to be included in Microsoft’s monthly Patch Tuesday rollout on November 10. This timeline underscores the urgency as organizations prepare to mitigate risks associated with this vulnerability.
Shane Huntley, the director of Google’s Threat Analysis Group (TAG), pointed out that these exploits are targeted and not linked to any activities regarding the recent U.S. elections. Despite concerns about the attacks, specific details about the characteristics of the active exploitation have not been disclosed, which leaves organizations on high alert.
As cybersecurity remains a paramount concern for both individuals and corporations, the emergence of this exploit chain serves as a critical reminder of the importance of promptly applying security updates and patches. With the interconnected nature of operating systems and applications, such vulnerabilities can pose a significant threat to user security and privacy, making awareness and decisiveness essential in the fight against cybercrime.
Heading into the patch rollout, users are urged to remain vigilant about their system updates and to educate themselves on potential phishing attempts that may arise as attackers seek to exploit the chaos surrounding vulnerabilities. The ongoing developments are indicative of a landscape where cyber threats evolve rapidly, necessitating adaptive and proactive measures from all.
