Google Project Zero has disclosed details for a zero-day vulnerability CVE-2020-17087 found in the Windows operating system that is being currently exploited in the wild.
Earlier Google had released a patch addressing a zero-day vulnerability (CVE-2020-15999) found in Chrome web browsers. The vulnerability allowed a remote attacker to exploit heap corruption by crafting a HTML page.
The newly disclosed Windows zero-day vulnerability (CVE-2020-17087) when used with Chrome based zero-day vulnerability (CVE-2020-15999) allows an attacker to escape the Chrome sandbox environment and run the code directly on Windows.
The vulnerability resides in the Windows kernel cryptography driver (cng.sys) that causes a buffer overflow which can be exploited to gain elevated privileges. The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs (an Input-Output Control interface to communicate with a device) with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation.
Google has already issued patches for the Chrome zero-day vulnerability. Users who have applied Chrome’s patch are considered to be not affected by the remote execution, though the execution is still possible locally.
The affected version of windows
The bug is expected to affect Windows 7 through Windows 10.
SanerNow offers the detection and remediation for CVE-2020-15999. It can also detect the affected Windows OS for CVE-2020-17087. Patch for the same is currenlty unavailable from Microsoft.
According to the tweet by Ben Hawkes, the patch for CVE-2020-17087 is expected to be released on November 10 (Patch Tuesday).