Google’s Project Zero team has shared information on a zero-day security vulnerability CVE-2020-0986 that affects systems running Microsoft Windows. The Project Zero team is known for crawling the cyberspace for potential vulnerabilities and making organizations and people aware of those vulnerabilities.
Google on Microsoft Windows vulnerability
According to the reports, Project Zero intimated Microsoft about the vulnerability on September 24, but the company has failed to release an effective patch so far. It basically puts all Windows users at risk.
The history of the patch goes way further than September 24, though. According to cybersecurity experts, an anonymous user reported this Windows vulnerability in December 2019. Throughout the past year, several security firms and experts talked about the issue. It was known that the vulnerability is making use of a privilege exploit in the GDI Print/Print Spooler API.
More importantly, an attacker could leverage this vulnerability to run arbitrary code on the victim’s computer or even make system-level changes. Judging the impact this vulnerability could cause on a Windows 10 or earlier PC, it is surprising that Microsoft hasn’t released a patch for the issue so far.
In between discovering the vulnerability in December 2019 and the public announcement in December 2020, ZDI also released a zero-day advisory to the customers. This, however, was followed by a series of attacks that focused on a South Korean company. The hacking campaign was called Operation PowerFall, an attack that Kaspersky technology prevented.
Following the issue, Kaspersky shared the info with Microsoft in June 2020 as well. Although the company released a patch in July 2020, it was not effective in dealing with the problem. It means the vulnerability is still unpatched.
Considering that the Project Zero team has discussed the problem in detail, we should soon expect a proper Microsoft response. If not an instant patch, the company would tell users how to protect their computers from the 0-day bug until the backdoor can be closed, once and for all.
It is still unclear why Microsoft did not address the problem within a 90-day window.