New Windows Zero-Day

Google’s Project Zero has discovered and published a buffer overflow vulnerability in the Windows Kernel Cryptography Driver. The exploit doesn’t affect the cryptography, but allows attackers to escalate system privileges:

Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

The vulnerability is being exploited in the wild, although Microsoft says it’s not being exploited widely. Everyone expects a fix in the next Patch Tuesday cycle.

Tags: , ,

Posted on November 2, 2020 at 2:01 PM11 Comments

Comments

Curious November 3, 2020 4:11 AM

I’ve always wondered if ‘patch tuesday’ was US only, or a global patch day. Anybody know?

David Rudling November 3, 2020 7:45 AM

I have always assumed that Patch Tuesday is immediately followed by Zero-Day Wednesday which would be the rational release date for an exploit to allow the largest window of opportunity to use it before it is patched. Microsoft seem reluctant to bring forward urgent patches from their planned Patch Tuesday.

name.withheld.for.obvious.reasons November 3, 2020 11:25 PM

@ Bruce Schneier

The exploit doesn’t affect the cryptography, but allows attackers to escalate system privileges:

Of course with privilege execution, anything from power user, admin, or system is going to let you affect cryptography…

Just not initially, it’s enough for a payload to then perform some code injection. And, it would seem that Chrome use of the API does not mean that just Chrome is an initial vector.

Anonymous November 4, 2020 12:37 PM

@Impetigo

  1. There is virtually zero chance a physical sensor would be triggered by sound waves. Unless you interact physically with the phone or replicate gravity, there’s no way your will trigger an accelerometer remotely.
  2. Even if you could, there is still no major security flaw unless the phone was already hacked. What would muting someone’s phone or opening up the camera do, drain their battery?
  3. Features undoubtedly go through a review process which includes security

Clive Robinson November 4, 2020 1:27 PM

@ Impetigo, Anonymous,

Do new features go through a security review?

We would like to think so, but the history todate of ICT systems strongly suggests otherwise, or that the testing is for various reasons incomplete.

In fact we know testing will always be incomplete. Because as I sometimes point out, “Instances of attacks, fall in classes of attacks.” and either or both can be unknown at the time of testing.

So when you consider the options of (instance, class)

You have,

1, Known, Knowns
2, Unknown, Knowns
3, Unknown, Unknowns

Only the first of which, a known instance in a known class is in the current or past tense, so can be reliably tested for. However the second where there is a known class of attack, if tested for correctly might stop future new instances, but there is no certainty in this. With the third they are not currently known, thus specific testing is not possible, and no guarentee general testing will pick up where these future attacks might occur.

xcv November 5, 2020 3:07 PM

New Windows Zero-Day … allows attackers to escalate system privileges …

This is nothing new. It’s by design, how things are supposed to work in Microsoft Windows.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.