Categories: SecurityWorkspace

Google Discloses Unpatched Windows Bug Under Active Exploitation

Google has disclosed an unpatched flaw in the Windows kernel that it says is being actively exploited to hack systems.

The company disclosed the flaw after giving Microsoft seven days to patch it.

Google said it currently expects Microsoft to issue a fix for the bug on 10 November, along with its regular monthly set of security patches.

“Currently we expect a patch for this issue to be available on November 10,” said Ben Hawkes, team lead for Google’s Project Zero security unit, on Twitter.

Two-pronged attack

Hawkes said the issue, identified as CVE-2020-17087, was being used in conjunction with a bug in Google’s own Chrome browser to carry out attacks.

The Windows kernel flaw is only accessible locally, meaning it ordinarily would not be able to be exploited via a network.

However, attackers used a previously undetected bug in Chrome, identified as CVE-2020-15999, to target systems with malicious code over the internet.

Attackers then used the Windows kernel flaw to bypass Chrome’s security protections, in what is termed a sandbox escape, Hawkes said.

The Windows kernel flaw constitutes a “locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)”, Project Zero confirmed in its advisory.

Targeted hacking

Project Zero has the controversial practice of giving software vendors a hard deadline after which it discloses flaws to the public, whether a patch is available or not.

In the case of bugs under active exploitation, the deadline is only seven days.

Hawkes cited Google’s Threat Analysis Group as saying that the Windows kernel flaw was being used along with the Chrome bug in “targeted exploitation”.

The attacks are “not related to any US election” targets, Hawkes said, without specifying who the targets were believed to be.

The issue affects the Windows Kernel Cryptography Driver (cng.sys) and affects Windows 7 up to the most recent version of Windows 10, Project Zero said.

The researchers also published proof-of-concept code demonstrating how to exploit the bug, which is caused by a 16-bit integer truncation issue.

The Chrome flaw was patched in Chrome version 86.0.4240.111.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

2 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

2 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

2 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago