If you Google “Win10 zero-day”, you’ll likely find a number of results. Today’s zero-day is one that involves both Google Chrome and Microsoft Windows and is actively exploited. It has been disclosed with a proof of concept but is still not patched by Microsoft!
The Windows security issue, tracked as CVE-2020-17087, is reported to impact every version of the Windows OS from Windows 7 to the current Windows 10. Google’s Project Zero security team discovered the flaw, notified Microsoft, and provided seven days to patch before Google would disclose the details. Some argue this is a short time before disclosure but Project Zero researchers Ben Hawkes and Tavis Ormandy defended their timeline saying: “We think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable [sic] un-likely”. That’s probably true, as the researchers knew the chained exploit required another vulnerability: CVE-2020-15999, a Chrome browser-based bug which was patched 20 October 2020. These are likely the same reasons why Microsoft can be so calm regarding the vulnerability, as the fix is pushed off until next patch Tuesday on 10 November 2020.
The previously patched Chrome browser bug, CVE-2020-15999, is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of the FreeType 2 library. This is used for font rendering in multiple applications, one of which is Google Chrome. Google’s own security researcher on the Project Zero team, Sergei Glazunov, is credited with the discovery. The attack would be accomplished using social engineering to lure a user to browse a website hosting a specially crafted malicious font file. Glazunov has published a proof-of-concept font file. The Microsoft Windows unpatched bug, CVE-2020-17087, is a buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys, and the way it processes input/output control. Mateusz Jurczyk, another Project Zero security researcher who discovered the issue, says the bug is the result of a 16-bit integer truncation. A proof of concept was included as an attachment to the Google Project Zero issue tracker entry and has been tested on Windows 10 1903 (64-bit).
As far as the observations in the wild, this chained attack is being used for targeted attacks according to Shane Huntley, Director of Google’s Threat Analysis Group. Microsoft also acknowledged their bug has only been spotted in conjunction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers.