Breach Notification , Governance & Risk Management , Incident & Breach Response
Microsoft Will Patch Zero-Day Flaw Found by GoogleGoogle's Project Zero Disclosed Bug Without Patch Due to Exploitation
Microsoft plans to patch on Nov. 10 a zero-day kernel vulnerability found by Google’s Project Zero bug-hunting team.
On Friday, Google publicly released the details of the vulnerability, CVE-2020-117087. Google normally gives 90 days’ notice before releasing details of code vulnerabilities, but this bug marked an exception.
“We have evidence that the following bug is being used in the wild,” according to Project Zero’s writeup. “Therefore, this bug is subject to a 7-day disclosure deadline.”
The privilege escalation bug creates a “locally accessible attack surface” related to the Windows Kernel Cryptography Driver, Project Zero says. Exploiting it could allow a sandbox escape. The problem “resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” Project Zero says.
The vulnerability has been present since at least Windows 7, Project Zero says.
Microsoft says that while it tries to meet even short-term deadlines set by security researchers to fix vulnerabilities “developing a security update is a balance between timeliness and quality.”
“Our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company says in a statement.
Not Used in Election Attacks
The bug has not been used in election-related attacks, writes Ben Hawkes, who is Project Zero’s technical lead.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.— Ben Hawkes (@benhawkes) October 30, 2020
The U.S. government has been on close watch for suspicious cyber activity as the presidential election has drawn closer. It has advised local governments to be on guard for intrusions perpetrated by Iran and Russia, whose activity has increased.
Last week, Iran was blamed for using voter registration information to send thousands of intimidating emails to registered Democrats, advising them to vote for Trump “or else.”
Late last week, the FBI and the Cybersecurity and Infrastructure Security Agency released more details about the email campaign, adding that the Iranian group successfully obtained voter registration data from at least one state that it did not identify (see Election Interference: Feds Detail Iran's Alleged Campaign).
Also, the FBI and CISA warned that Russia had exfiltrated data from two servers belonging to local government agencies, although it did not identify those affected. The Russian group is a long-known APT actor called Berserk Bear and believed to be run by Russia's Federal Security Service, which is known as the FSB (see US Officials Blame Data Exfiltration on Russian APT Group).
Attacks Tied to FreeType Flaw
The attacks observed so far used CVE-2020-117087 in combination with a vulnerability in Google’s Chrome browser that has been patched, according to Switzerland’s Computer Emergency Response Team (GovCERT).
Google disclosed a zero-day vulnerability in Windows, which has been actively exploited. Microsoft will not release a patch until Nov. 10, however, all known attacks relied on another vulnerability in Chrome that is fixed now. If you use Chrome, please make sure it is up-to-date. https://t.co/SlLfYBDSu3— GovCERT.ch (@GovCERT_CH) October 31, 2020
The bug, CVE-2020-15999, is a heap buffer overflow in FreeType, which is an open-source font engine.
Google patched the FreeType flaw in Chrome version 86.0.4240.111. Microsoft also updated Edge, its browser that is based on Chromium.