Researchers from the Google Project Zero team have discovered CVE-2020-17087, an actively exploited zero-day affecting Windows 7, 8, and 10. The particular vulnerability was under a 7-day disclosure deadline due to the fact that it’s already used in the wild, so it was reported to Microsoft last week and publicized just now. The software vendor estimates the release of a fixing patch to November 10, so this hasn’t been fixed yet.
The flaw concerns the ability to run code on target Windows systems remotely, resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue. Google’s team has also shared a proof of concept snippet, demonstrating how the sandbox escape trick works.
The vulnerability is chained with a Chrome zero-day, CVE-2020-15999, which is where the attacker would start from. The web browser is where the sandbox escape actually takes place, and that bug has been patched in Chrome v 86.0.4240.111, which was released on October 20, 2020.
This practically means that there’s no way for the hackers to reach the Windows flaw through Chrome anymore, even if the OS remains unpatched. It also means that updating your Chrome browser should be considered essential - otherwise, the chain is still there. If you’re using a Chrome-based browser, the same risks apply if the relevant update hasn’t reached you yet.
The Director of Google’s Threat Analysis Group has clarified that the attacks they monitored aren’t related to the U.S. election. Zero-days are discovered, weaponized, and exploited by highly sophisticated and capable hackers who make their own way in systems and networks instead of relying on “canned” solutions and tools. However, Google hasn’t given any more details about the actors yet.
If you’re still using the out-of-support Windows 7, this is yet another critical flaw that is added to the list of dangerous and highly-risky bugs that will never be fixed for the operating system. If you’re looking for a way out, consider your options and pick something that’s actively supported and secure.