Google’s Project Zero team has discovered a 0-day vulnerability in Windows 10 that is currently being exploited. It enables elevation of privilege on the Microsoft operating system. The bug has ID CVE-2020-17087.
The 0-day vulnerability in Windows 10 impacts Windows kernel cryptography (CNG.sys). This works using a function in CNG.sys that puts a number in a buffer that is too small and then converts it from a binary file to hexadecimal. System crashes can occur if the bug is exploited. However, the vulnerability could open doors to elevate privilege or escape the sandbox. The Project Zero team states that the vulnerability can also occur in Windows 7 and Windows 8 (.1).
Ben Hawkes, responsible for the technical part of Project Zero, reported the bug. Microsoft is expected to find a solution in tweets on November 10th. He adds that the hackers who are currently exploiting the loophole will not do so in the context of the US presidential election.
We currently expect a patch for this issue to be available on November 10th. We confirmed with Google’s Threat Analysis Group director Shane Huntley (@ShaneHuntley) that this is targeted exploitation and not related to any US election target.
– Ben Hawkes (@benhawkes) October 30, 2020
A precision that is important: this is a flaw that can be exploited locally. A hacker cannot attack remotely over the Internet. Despite everything, Google assures that the 0-day error in Windows 10 is actively being exploited.