As Microsoft exceeds 90 days, with an extension of 14 days, Google Project Zero will continue to publish details of the security vulnerabilities that have been exploited in Windows 10.
According to Google’s regulations, the supplier has a 90-day time limit for repairing the vulnerability from the date of notification. If the repair cannot be fixed, it can apply for an additional 14 days to extend the disclosure time.
There are now two new security vulnerabilities and the details of the vulnerabilities related to the kernel level will also be made public because Microsoft still has no time to fix the vulnerabilities.
In May 2020, researchers at Kaspersky Security Lab discovered that attackers used privilege escalation vulnerabilities in the wild, which can cooperate with IE browser remote code execution vulnerabilities.
Both of these security vulnerabilities were evaluated as zero-day vulnerabilities, and the vulnerabilities were initially fixed in a security update released by Microsoft in June after being notified to Microsoft.
However, some researchers found that Microsoft’s repair method was not thorough, so attackers can still escalate the kernel privileges by changing the pointers to offsets.
Researchers said that the original vulnerability was caused by pointers, but Microsoft modified the pointers to offsets, which resulted in attackers still being able to control the function to launch attacks.
In other words, Microsoft has fixed these vulnerabilities unsuccessfully, attackers can still use this vulnerability to increase kernel privileges.
After discovering the problem, the researchers reported the vulnerability to Microsoft. Microsoft confirmed the existence of the vulnerability the next day and assigned the vulnerability number CVE-2020-17008.
The vulnerability was notified on September 24, 2020. Microsoft originally planned to modify the relevant parameters in the cumulative update in November 2020 to block the vulnerability.
However, new problems were discovered during testing. As a result, Microsoft postponed the bug fix time to the beginning of next year, which exceeds a period of 90 days.
According to Google’s policy, the 90-day disclosure period plus the additional 14-day extension will be up to January 6, 2021, and Microsoft’s cumulative update will be released on January 12.
Obviously, this date cannot meet Google’s regulations, so the details of the vulnerability will be disclosed. Currently, researchers have announced the relevant demo code in advance to trigger the vulnerability.