Google's Project Zero has published a security hole in the Windows kernel that is already being actively exploited. It is used in combination with other browser security holes to break into the system. There are currently no patches available for the kernel vulnerability.
Zero Day (CVE-2020-17087) was discovered by security researchers Mateusz Jurczyk and Sergei Glazunov from Google's Project Zero, who reported the vulnerability to Microsoft on October 22nd. After it became clear that it was already being actively exploited, Google decided to publish the vulnerability just seven days later.
"The Windows kernel cryptography driver (cng.sys) provides a DeviceCNG device for user-mode programs and supports a large number of IOCTLs with non-trivial input structures," says the bug report. This represents a locally accessible attack surface that can be used to expand rights or break out of a sandbox.
Multiple zero days combined for attack
The Zero Day is used in combination with another security hole in the Freetype library used in the Chrome and Edge browser. The first allows malicious code to be executed within Chrome or Edge, while the second enables an escape from the browser sandbox. This so-called chaining of security holes is not uncommon. The gaps in Chrome and Edge have already been fixed and updates have been released.
The gap in the cryptography driver should have existed at least since Windows 7 and can be exploited with a also published Proof-of-Concept-Code (PoC) under Windows 10 (64Bit). A patch is expected on November 10th, the next patch Tuesday. Microsoft is currently working on a fix, said a group spokesman for the online magazine The Register .