Microsoft releases patch for Windows zero-day flaw found by Google

Microsoft building in California

Last month, security researchers at Google's Project Zero released details of a zero-day vulnerability in Windows that was being actively exploited.

Hacklers were taking advantage of a Windows Kernel Cryptography Driver security flaw (CVE-2020-117087) to gain elevated privileges in Windows 7, 8, and 10, as well as Windows Server 2008 and higher. As part of yesterday's Patch Tuesday release, Microsoft has now issued a fix for the vulnerability.

See also:

Advertisement

Known as the "Windows Kernel Local Elevation of Privilege Vulnerability", CVE-2020-17087 was revealed to Microsoft back on October 22. Ordinarily, Project Zero would implement a 90-day grace period before going public with details of a vulnerability, but reduced this to just seven days due to the fact it was in the wild.

The Project Zero team explained:

The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).

Over on the MSRC portal, Microsoft acknowledges the work done by Mateusz Jurczyk and Sergei Glazunov of Google Project Zero to bring the vulnerability to its attention. Links to the patches for different versions of Windows and Windows Server can be found on the same page.

Image credit: Walter Cicchetti / Shutterstock

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.