Google disclosed a Windows zero-day (CVE-2020-17087) vulnerability
Under normal circumstances, Google’s Project Zero will reserve 90 days for developers to fix after the vulnerability is discovered. After 90 days, the details will be made public regardless of whether the vulnerability is fixed or not.
Google has previously been strongly criticized by Microsoft for publishing unfixed security vulnerabilities by Microsoft, but the criticism is useless. Google continues to disclose Microsoft security vulnerabilities.
The security vulnerability published this time is numbered CVE-2020-17087. This vulnerability can be used for a sandbox escape and then elevated to control the entire computer.
Because Google announced the vulnerability too early, the time left for Microsoft to fix it was actually only 7 days. Obviously, this approach of Google would be violently sprayed by Microsoft.
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020
The technical leader of Google’s Project Zero said that the attacker can perform privilege escalation and can also be used in conjunction with security vulnerabilities in Google Chrome.
It is reported that Google Chrome issued an emergency security update earlier to fix a sandbox escape vulnerability. Attackers can use the vulnerability to install malware on the system.
Google said that there is evidence that this vulnerability was exploited by hackers in the wild, so Google directly disclosed the details of the vulnerability and urged developers to fix it quickly.
Google’s Project Zero also provides proof-of-concept code. With the help of proof-of-concept code, we can easily use the kernel encryption driver to cause system crashes.
The kernel encryption driver (cng.sys) is a core part of the Windows system. Sometimes this driver will cause a blue screen of death when an exception occurs.
Google’s Project Zero said that Microsoft has received a vulnerability report and will fix the vulnerability in Windows 10 with a security update released on November 10.
However, this vulnerability also affects Windows 7 and Windows Server 2008 series. These versions have been discontinued and will not be updated.
Unless enterprise users have already purchased Microsoft’s paid extended support plan, Microsoft will provide additional security support to fix the vulnerability.
I also remind those users who are still using the old version of the operating system that has been discontinued, if possible, please upgrade to a supported operating system as soon as possible.
In response to Google’s announcement of the details of the unfixed vulnerabilities in advance, Microsoft officials also issued a response. This time we can see that Microsoft’s attitude is relatively restrained.
Microsoft said the company is committed to investigating the security vulnerabilities reported by researchers as soon as possible, and at the same time, it will make security updates as soon as possible to repair related vulnerabilities to protect customers.
Microsoft said it will strive to meet the disclosure deadlines for all researchers while balancing the timeliness of security updates and development quality.
An official Microsoft spokesperson also stated that the use of this vulnerability is very limited and targeted, and the company has no evidence that the vulnerability is widely used.