Google’s Project Zero (GPZ) team on Wednesday disclosed a high-severity zero-day flaw in Windows, which if exploited can cause elevation of privilege. Since the chipmaker was unable to develop an adequate patch within 90 days of receiving notification from Project Zero, Google has now publicly released the details of the bug.
For those unaware, under the revised disclosure policy, GPZ needs to wait for at least 90 days before publicly revealing the details of a security bug, even if the bug is fixed ahead of that deadline. Also, vendors can request an additional 14-day grace period from Google if they believe they won’t be able to fix the reported vulnerability within 90 days.
The flaw concerns a low integrity process that can send LPC messages to splwow64.exe (Medium integrity) and gain a write-what-where primitive in splwow64’s memory space. Successful exploitation of this vulnerability could allow the attacker to control the destination, contents that are copied, and the number of bytes copied through a memcpy call.
This zero-day flaw in Windows (originally tracked as CVE-2020-0986) is apparently not new. It was actually discovered by a security researcher at Kaspersky this past summer, which was later patched by Microsoft in June.
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft had said in an advisory issued in June.
Microsoft’s June update included a patch that addressed the vulnerability by correcting how the Windows kernel handles objects in memory. However, according to Maddie Stone, a researcher with Google Project Zero, this patch has now been found to be incomplete, as it only changes the pointers to an offset allowing attackers to exploit it.
“Microsoft released a patch in June, but that patch didn’t fix the vuln,” she tweeted on Wednesday. “After reporting that bad fix in Sept. under a 90-day deadline, it’s still not fixed.”
She added, “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”
Microsoft has assigned a new CVE, CVE-2020-17008 for the issue, which is expected to be resolved by the company on January 12, 2021, due to “issues identified in testing” after planning to release a fix in November. Meanwhile, Project Zero has publicly disclosed the vulnerability with proof-of-concept code for the issue.
