The Windows 10 operating system is plagued by a zero-day vulnerability (CVE-2020-17087), which is actively being exploited by cybercriminals, Google has revealed. According to Ben Hawkes from Google’s security research team called Protect Zero, the vulnerability has nothing to do with the upcoming U.S. presidential election.
The vulnerability affects Kernel Cryptography Driver
Microsoft rolls out its monthly security updates on the second Tuesday (Mega Patch Tuesday) of each month. As a result, Microsoft will release its upcoming security patch this month on November 10, 2020. The update will fix this vulnerability for the greater good.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
This vulnerability affects Windows 7 to Windows 10 operating system versions and has been classified as critical. The function CfgAdtpFormatPropertyBlock of the file cng.sys of the component Kernel Cryptography Driver has been impacted by this bug. It can allow attackers to gain unauthorized access to affected machines, courtesy of additional permissions.
In its technical documentation describing the CVE-2020-17087, Google says:
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”
According to Google, the bug resides in the cng!CfgAdtpFormatPropertyBlock function and is triggered by a 16-bit integer truncation issue.
Information about possible countermeasures remains unknown at the moment. We also don’t know which hacking groups benefited from this vulnerability. Most of the zero-day vulnerabilities are usually exploited in state-sponsored attacks.
This vulnerability was also confirmed by the director of Google’s Threat Analysis Group (TAG) Shane Huntley.
Last week, Google’s internal security team disclosed a zero-day vulnerability (CVE-2020-15999) affecting Chrome. It’s a memory corruption bug that resides in the FreeType font rendering library. According to Google, someone exploited this vulnerability with an aim to target Chrome users.
Although Chrome has already patched CVE-2020-15999, Microsoft’s upcoming Mega Patch Tuesday will also cover this issue.