Google discloses actively exploited Windows zero-day (CVE-2020-17087)

Google researchers have made public a Windows kernel zero day vulnerability (CVE-2020-17087) that is being exploited in the wild in tandem with a Google Chrome flaw (CVE-2020-15999) that has been patched on October 20.

About CVE-2020-17087

CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver, and “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

More technical information has been provided in the Chromium issue tracker entry, which was kept unaccessible to the wider public for the first seven days, but has now been made public.

The researchers have also included PoC exploit code, which has been tested on Windows 10 1903 (64-bit), but they noted that the affected driver (cng.sys) “looks to have been present since at least Windows 7,” meaning that all the other supported Windows versions are probably vulnerable.

Exploitation and patching

Shane Huntley, Director of Google’s Threat Analysis Group (TAG) confirmed that the vulnerability chain is being used for targeted exploitation and that the attacks are “not related to any US election-related targeting.”

The attackers are using the Chrome bug to gain access to the target system and then the CVE-2020-17087 to gain administrator access on it.

A patch for the issue is expected to be released on November 10, as part of the monthly Patch Tuesday effort by Microsoft.

While the bug is serious, the fact that it’s being used in targeted (and not widespread) attacks should reassure most users they’ll be safe until the patch is released.

Also, according to a Microsoft spokesperson, exploitation of the flaw has only been spotted in conjuction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers (e.g., Opera on October 21, Microsoft Edge on October 22.

Users who have implemented those updates are, therefore, safer still.