Google team reveals zero-day Windows exploit

Google's Project Zero team said the bug, CVE-2020-17087, was being used jointly with an exploit uncovered earlier last week in Google Chrome and Chrome OS. Attackers were able to escape the confines of Chrome's sandbox and trigger an attack on the operating system.

Google fixed the Chrome vulnerability and has alerted Microsoft to the remaining bug.

A zero-day vulnerability is a fault in a system that is disclosed but not yet patched by the manufacturer.

Project Zero normally discloses vulnerabilities after 90 days or earlier if a solution is made available. But in this instance, because the bug is under active exploit and no patch has yet been issued, the Google team provided Microsoft with a seven-day window to fix the problem before it was made public.

In a post issued Friday, the Project Zero group stated: "The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)."

Microsoft has not yet resolved the problem. Google says it expect Microsoft to issue a patch on November 10, the second Tuesday of the month that is traditionally when Microsoft dispatches accumulated patches.

Microsoft has offered no guidance on addressing the issue until a patch is released. But a company representative said there is no evidence the bug is being widely exploited.

In a statement released last week, Microsoft said: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers' deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."

Shane Huntley, director of Google's Threat Analysis team, said the attacks were targeted and are not related to Tuesday's presidential election.

Attackers manipulated a function in the Windows Kernel Cryptography Driver by inserting a number into a buffer that is below an allowable level. When the number is converted to a hexadecimal from a binary, input/output controllers can be hijacked to transmit data into a secure area that allows code execution, providing the attacker with access to the system outside of the protected sandbox.

Website search

Recently updated

OneNote Password Recovery Key Crack + Activator Download 2020 OneNote Password Recovery Key Crack + Serial Number A password rҽcovҽry tool that is dҽsignҽd to rҽtriҽvҽ passphrasҽs for MS OnҽNotҽ filҽs by using a combination of various attacқs
P2 Commander Crack + Activator Download P2 Commander Crack With License Key 2020 A rҽliablҽ and ҽffҽctivҽ solution that hҽlps you to pҽrform comprҽhҽnsivҽ digital forҽnsic ҽxaminations and dҽlҽtҽd data rҽcovҽry
MailEnable Enterprise Premium Crack + Activator Download 2020 MailEnable Enterprise Premium Crack + Serial Number A powҽrful ҽmail sҽrvҽr that intҽgratҽs MAPI connҽctor for Outlooқ, mobilҽ connҽctivity, as wҽll as sharing and collaboration options

Software News

Jan 15
Leaks of Microsoft's Windows 10X for single screen PCs reveal a simplified OS with an emphasis on simplicity.
Jan 15
Any building project requires the formulation of a series of initial plans prior to starting construction to serve as a basis and guide for the whole process. A similar procedure is followed in software development, with ...
Jan 13
I had a few emails from readers asking about the end of Adobe Flash and what they should do about it.
Jan 7
The COVID-19 pandemic has seen hardware developers clamoring to make 'open source' technology to support our frontline services. Their intentions have been honorable-an invitation to teams across the world to collaborate ...
Jan 1
Microsoft hackers tied to a massive intrusion of dozens of U.S. government agencies and private companies sneaked further into its systems than previously thought, although the intrusion doesn't appear to have caused any ...
Dec 22
Professional and college sports have been disrupted by the coronavirus pandemic. But sports played on virtual athletic fields and courts have thrived.
Dec 18
Sony is pulling the much-hyped Cyberpunk 2077 from PlayStation stores around the world, the firm said Friday, after a flood of complaints and ridicule over bugs, compatibility issues and even health risks.

About us

Welcome to new crack resource! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.