Posted on November 2, 2020 at 5:12 PM
Google revealed recently that hackers are actively exploiting a previously unknown vulnerability in Windows. Now, security researchers at the tech giant have revealed details about the vulnerability.
Google gave Microsoft a week to provide a patch for the bug before making it public. The company has now published the details, as the one-week deadline has passed.
The vulnerability, dubbed CVE-2020-17087, can affect at least two Windows versions, 7 and 10.
CVE-2020-17087 is visible in the Windows Kernel Cryptography Driver or the cong.sys. It enables the hacker to have more access to any Windows system, allowing the hacker to have admin-level access to the target Windows system.
New zero-day vulnerability on Windows 10
Google has a team of security researchers called Project Zero who hunt zero-day security vulnerability. The team first informed Microsoft about the vulnerability. But Microsoft wasn’t able to release a patch for the vulnerability before it was made public.
According to the Project Zero team, the vulnerability enables the hacker to have increased access level to the victim’s Windows computer. They are applying the Windows bug with another vulnerability in Chrome, which Google revealed and patched last week.
The new vulnerability enables the hacker to stay under the radar of Chrome’s sandbox while running an app on the operating system.
Ben Hawkes, technical head at Google’s Project Zero, revealed that Microsoft will provide a patch for the vulnerability on Nov. 10.
However, he revealed Microsoft did not independently confirm the date when the company was asked.
He said Microsoft released a statement confirming its commitment to examine any reported security issue and provide the right update or patch to the issue.
Apart from the CVE-2020-15999 Chrome/freetype zero-day vulnerability reported last week, the Project Zero team also reported the CVE-2020-17087, a Windows kernel vulnerability utilized for the sandbox escape, with the technical details of the bug available here.
Hackers’ motives not clear
According to the report, the research team is not sure who the attackers are, the threat organization they represent, or their attack motive. However, Shane Huntley, director of threat intelligence in the company, revealed that the attacks are not connected to the upcoming US elections.
A Microsoft spokesman also confirmed that there is no evidence to show the attack is targeted at a particular group or being widely used.
Windows still facing security lapses
This is one of the major vulnerabilities discovered in the Windows system this year. Microsoft revealed that the NSA discovered a cryptographic vulnerability within Windows 10 in January. However, it didn’t see any evidence the vulnerability was exploited.
But the Department of Homeland Security issued security alerts in June and September about “critical” Windows bugs. One of the bugs can gain total access to a Windows network while the other bug can be spread all over the internet in a short time.
Microsoft said it was able to develop a patch for the bug within the shortest possible time, just like it wanted to do in the Project Zero bug disclosure. A security patch was developed within a week, which balances quality and timeliness.
The Project Zero team also shed more light on the impact of the vulnerability, pointing out that it doesn’t mean the system will be shut down when attacked.
A tweet from Hawkes reveals that the fact that the hackers have been actively targeting Windows systems may not lead to the entire shut down of the system. And since the attack requires two vulnerabilities to carry out a successful exploit, it won’t be too easy for a hacker to launch an attack on the Windows systems.
It has now become even more difficult for the attacker to succeed after one of the vulnerabilities, CVE-2020-15999, was patched by Google. The Chrome bug is a browser-based vulnerability from the Chrome browser.
The Project Zero team revealed the importance of applying updates as soon as they are released. According to the security team, once updates are regularly applied, it becomes more difficult for hackers to explore the system.
Presently, no one has reported any attack on Windows vulnerability. But it doesn’t mean attackers are not trying or attempting. They can succeed only when the target system has not applied the Chrome update, the Project Zero team reiterated.