Breach Notification , Governance & Risk Management , Incident & Breach Response

Microsoft Will Patch Zero-Day Flaw Found by Google

Google's Project Zero Disclosed Bug Without Patch Due to Exploitation
Microsoft Will Patch Zero-Day Flaw Found by Google

Microsoft plans to patch on Nov. 10 a zero-day kernel vulnerability found by Google’s Project Zero bug-hunting team.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

On Friday, Google publicly released the details of the vulnerability, CVE-2020-117087. Google normally gives 90 days’ notice before releasing details of code vulnerabilities, but this bug marked an exception.

“We have evidence that the following bug is being used in the wild,” according to Project Zero’s writeup. “Therefore, this bug is subject to a 7-day disclosure deadline.”

The privilege escalation bug creates a “locally accessible attack surface” related to the Windows Kernel Cryptography Driver, Project Zero says. Exploiting it could allow a sandbox escape. The problem “resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” Project Zero says.

The vulnerability has been present since at least Windows 7, Project Zero says.

Microsoft says that while it tries to meet even short-term deadlines set by security researchers to fix vulnerabilities “developing a security update is a balance between timeliness and quality.”

“Our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company says in a statement.

Not Used in Election Attacks

The bug has not been used in election-related attacks, writes Ben Hawkes, who is Project Zero’s technical lead.

The U.S. government has been on close watch for suspicious cyber activity as the presidential election has drawn closer. It has advised local governments to be on guard for intrusions perpetrated by Iran and Russia, whose activity has increased.

Last week, Iran was blamed for using voter registration information to send thousands of intimidating emails to registered Democrats, advising them to vote for Trump “or else.”

Late last week, the FBI and the Cybersecurity and Infrastructure Security Agency released more details about the email campaign, adding that the Iranian group successfully obtained voter registration data from at least one state that it did not identify (see Election Interference: Feds Detail Iran's Alleged Campaign).

Also, the FBI and CISA warned that Russia had exfiltrated data from two servers belonging to local government agencies, although it did not identify those affected. The Russian group is a long-known APT actor called Berserk Bear and believed to be run by Russia's Federal Security Service, which is known as the FSB (see US Officials Blame Data Exfiltration on Russian APT Group).

Attacks Tied to FreeType Flaw

The attacks observed so far used CVE-2020-117087 in combination with a vulnerability in Google’s Chrome browser that has been patched, according to Switzerland’s Computer Emergency Response Team (GovCERT).

The bug, CVE-2020-15999, is a heap buffer overflow in FreeType, which is an open-source font engine.

Google patched the FreeType flaw in Chrome version 86.0.4240.111. Microsoft also updated Edge, its browser that is based on Chromium.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.