Actively Exploit Zero-day exploit in Windows!!

[Catt0s]

CVE-2020-117087 is a zero-day discovered by Google's Project Zero, which can use buffer flow for privilege escalation. Google Project Zero discloses vulnerabilities publicly after 90 days. However, this is known to be actively exploited, so it is on a 7-day disclosure. 

 

Microsoft gave a generic sounding response when it went public:

Quote

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

The vulnerability was expected to be patched on November 10th. It has also been confirmed that this is not suspected of being election-related.

 

The bug has apparently existed since Windows 7, and still exists in Windows 10 1903 (64-bit), so be sure to update!

 

Details further details on the exploit's workings:

Quote

The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).

IOCTL is an abbreviation of input/output control. 

 

The actively used part of the exploit relied on a previous Chrome flaw, CVE-2020-117087, an issue in FreeType, which was fixed It was also featured on Techlinked. 

 

My thoughts

 It is important to keep devices on a secure, up to date version for this reason. Especially since there is evidence of it being actively exploited. If you have not updated after the FreeType flaw, you should ASAP.

 

Sources

https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/

https://bugs.chromium.org/p/project-zero/issues/detail?id=2104

 

[TempestCatto]

So Google only gave them 7 days to fix this then just up and told the world? Idk man, seems kinda phishy to me.

 

But for real, I do think Google should have given them more time (but the argument there is: ThEy hAD tiEM SInCe wiNBloWs SeBUn HURRRRRRR) Yeah, stfu. Seriously, shut the fuck up, please, just shut the fuck up. I am not defending Microsoft here. But it's not like they can find every single bug. It's up to the community and other devs to find and report them. I mean, yes, they've had since Windows 7 to fix it. But how recently was it discovered?

 

Idk man. Maybe I shouldn't have eaten that 7 day old fish in the fridge. Maybe it fucked up my thought process and I'm just totally wrong in my thinking. Oh well, at least it's off my chest now.

 

EDIT:

13 minutes ago, Catt0s said:

actively exploited, so it is on a 7-day disclosure

Weel okay. This makes a bit more sense now that I've read it over again. Feel free to just ignore me ;-;

[Doobeedoo]

Well it's getting patched soon. Google does have weird policy regarding these as we know. I am on the latest version as always though. 

[StDragon]

It was a dick move by Google to provide MS such short notice before going public.

[wanderingfool2]

50 minutes ago, Doobeedoo said:

Well it's getting patched soon. Google does have weird policy regarding these as we know. I am on the latest version as always though. 

 

26 minutes ago, StDragon said:

It was a dick move by Google to provide MS such short notice before going public.

It is actively being exploited prior to Google releasing the information.  Honestly, I would rather Google announce it rather than keep it quiet and let things get exploited (which MS stays silent).  The key thing being this is actively being exploited

[bit]

13 hours ago, TempestCatto said:

I am not defending Microsoft here. But it's not like they can find every single bug.

nah, microsoft just needs to click the "fix bugs" button. duh.

[Doobeedoo]

44 minutes ago, wanderingfool2 said:

 

It is actively being exploited prior to Google releasing the information.  Honestly, I would rather Google announce it rather than keep it quiet and let things get exploited (which MS stays silent).  The key thing being this is actively being exploited

Well yes and no depends what kind of problem it is. We've heard before that some things were not known, but Google released it without giving MS really any time to act.

Not sure how those two work behind the scenes but it seems it should be more tightly worked on.

[wanderingfool2]

6 minutes ago, Doobeedoo said:

Well yes and no depends what kind of problem it is. We've heard before that some things were not known, but Google released it without giving MS really any time to act.

Not sure how those two work behind the scenes but it seems it should be more tightly worked on.

Given the overflow type, I would suspect it would have been an easy enough patch (one that MS likely already has, just isn't putting it out until next Tuesday).  The specific exploit was being used in conjunction with a Chrome exploit to run code on a system...guessing that's how the security team originally found it...so I'm all for disclosure of the vulnerability.

[WindirBear]

Why does it matter whether google went public with it or not. Ultimately it still needs to get fixed

[StDragon]

14 minutes ago, WindirBear said:

Why does it matter whether google went public with it or not. Ultimately it still needs to get fixed

Because while the exploit is being weaponized, what Google did was point a spotlight on it thus announcing the availability in greater numbers. So while it was a problem, Google just threw gasoline on the fire.

[Sauron]

Don't run new programs for the next 7 days if you want to be safe

[spartaman64]

19 minutes ago, StDragon said:

Because while the exploit is being weaponized, what Google did was point a spotlight on it thus announcing the availability in greater numbers. So while it was a problem, Google just threw gasoline on the fire.

but it also lets users take steps to try and mitigate the problem 

[StDragon]

19 minutes ago, spartaman64 said:

but it also lets users take steps to try and mitigate the problem 

Do or do not, there is no try.

 

You would be very surprised how many corporate networks are in neglect around the world.

[Mark Kaine]

8 hours ago, Sauron said:

Don't run new programs for the next 7 days if you want to be safe

What i dont get is why don't AV pick this up now that it's known? 

 

Don't they always tell you to protect you from exactly those things? 

 

 

[wanderingfool2]

1 hour ago, Mark Kaine said:

What i dont get is why don't AV pick this up now that it's known? 

 

Don't they always tell you to protect you from exactly those things? 

 

 

The attack vector is known, but realistically I don't know how much an AV could really do.  (They can't be scanning ever single call a program makes to try watching for an overflow...or else system performance would tumble).  They could do things like try detecting the signatures of programs, but it's like playing cat and mouse...everytime AV advances to catch the newest and greatest exploits, the virus makes come up with new ways to hide it.

[Mark Kaine]

3 minutes ago, wanderingfool2 said:

The attack vector is known, but realistically I don't know how much an AV could really do.  (They can't be scanning ever single call a program makes to try watching for an overflow...or else system performance would tumble).  They could do things like try detecting the signatures of programs, but it's like playing cat and mouse...everytime AV advances to catch the newest and greatest exploits, the virus makes come up with new ways to hide it.

Hmm, yeah I see, I just thought it could be like with "trainers" for example, the AV isn't actively scanning those but it can tell you upon initial scan that it "might" be a malicious program (because it "hooks" into other exes) 

 

 

Maybe that's what you mean with looking up signatures, not sure, but still the point is I don't quite get get it, why AV can do this for 'some' programs but not for others. 

 

All the while advertising being able to recognize "day zero attacks" 

 

 

I do think malwarebytes is pretty good with that, but not flawless either. 

[Sauron]

3 hours ago, Mark Kaine said:

What i dont get is why don't AV pick this up now that it's known? 

AVs can pick up a virus, as in a specific program. They can't necessarily pick up an unknown program trying to exploit a zero day. Antimalware is better at this.

[Master Disaster]

11 hours ago, StDragon said:

Because while the exploit is being weaponized, what Google did was point a spotlight on it thus announcing the availability in greater numbers. So while it was a problem, Google just threw gasoline on the fire.

You've got that backwards. The criminals already knew about it and were actively exploiting it. What Google did is make the general public aware of it and force MS to fix it sooner rather than later.

[Mark Kaine]

10 minutes ago, Sauron said:

Antimalware is better at this.

Yeah, I mean... that's what I mean... "AV" is just the umbrella term to me... For example Windows defender will not pick up trainers, malwarebytes will though. (it's the only kind of "malware" I ever get lol *forever lonely.jpg*)

 

So yes, I think if there's some kind of pattern it should be possible to pick it up? 

 

But is obviously not reliable or something? Idk maybe people don't scan everything they download, I SCAN EVERYTHING, even jpgs...

[Mark Kaine]

1 minute ago, Master Disaster said:

You've got that backwards. The criminals already knew about it and were actively exploiting it. What Google did is make the general public aware of it and force MS to fix it sooner rather than later.

Pretty much 

[Sauron]

4 minutes ago, Mark Kaine said:

Yeah, I mean... that's what I mean... "AV" is just the umbrella term to me... For example Windows defender will not pick up trainers, malwarebytes will though. (it's the only kind of "malware" I ever get lol *forever lonely.jpg*)

 

So yes, I think if there's some kind of pattern it should be possible to pick it up? 

AM is "better" for this but there's still no guarantee it will pick up everything. If you're worried, again, just wait a few days for the patch to drop. As far as I can tell this doesn't work through a browser (unless you have an old chrome version) so visiting websites should be safe enough.

[Mark Kaine]

12 hours ago, StDragon said:

Because while the exploit is being weaponized, what Google did was point a spotlight on it thus announcing the availability in greater numbers. So while it was a problem, Google just threw gasoline on the fire.

I'll try explain this, it's much less dramatic than you're trying to paint it. 

So Google finds security flaw. 

Tells MS about it and says " you got 7 days to fix this or we'll go public" 

Then MS says: "Fuck off, don't tell me what to do!" 

 

And, 7 days later Google does what it said and goes public. 

And of course MS will fix the security flaw now 'asap'. 

 

There's nothing abnormal or egregious about that, just a big Kindergarten.

[Mark Kaine]

45 minutes ago, Sauron said:

As far as I can tell this doesn't work through a browser (unless you have an old chrome version)

Welp, im not on latest version. 

 

Quote

Hi, everyone! We've just released Chrome 86 (86.0.4240.185) 

I'm on 86.0.4240.183

 

Google not much better than Microsoft it seems.

[Sauron]

6 minutes ago, Mark Kaine said:

I'm on 86.0.4240.183

The relevant flaw was patched on 86.0.4240.111

[Mark Kaine]

2 minutes ago, Sauron said:

The relevant flaw was patched on 86.0.4240.111

Oh, Google are pretty quick, huh! 

 

Thanks for the info.