The surprising thing about the problem is that it was used in a real attack in combination with another, also recently found vulnerability in the Google Chrome browser. They found a bug in the FreeType font handler (already closed), which allowed to escape from the sandbox. A couple of vulnerabilities, respectively, made such a scenario possible: the victim is lured to an infected web page, attackers run code outside the browser’s secure environment, and a vulnerability in Windows gives them full control over the system.
This scenario is speculative: Google does not disclose the details of the attack itself. At the same time, the Project Zero team applied the zero-day vulnerability disclosure rule and gave Microsoft only seven days to release the patch. At the time of publication, the patch for Windows is not yet available: it will most likely be included in the regular set of updates, scheduled for November 10. Traditionally, there was a rather caustic exchange of views: Microsoft believes that Google’s security officers could have tolerated the publication, Project Zero is confident that they are encouraging vendors to release a patch faster – perhaps even outside the standard schedule.
Vulnerability CVE-2020-117087 affects at least Windows 10 and Windows 7. It is present in one of the system functions for data encryption. An error in information processing causes a buffer overflow and creates conditions for the execution of arbitrary code with system privileges. The Project Zero technical article shows the logic of the vulnerable function in pseudocode, and also includes a PoC script that causes the system to crash.
In turn, the vulnerability in the Chrome browser most likely affects other browsers based on the Blink engine. Probably not just browsers: bug found in code third party library… Interestingly, Microsoft does not confirm active exploitation of the vulnerability in Windows, while Google believes otherwise. If the real attack did take place (information about it was not disclosed), then in any case its initial stage was the Chrome browser. A vulnerability patch in the FreeType library made this particular attack method impossible. That, of course, does not exclude the possibility of exploiting the vulnerability in Windows in other ways.
What else happened:
Kaspersky Lab experts published report on DDoS attacks in the third quarter of this year. The total number of campaigns has significantly decreased compared to the previous period, in which an abnormally high activity of cybercriminals was recorded, apparently associated with a pandemic.
At Sophos report about Facebook’s password phishing technique that attempts to bypass two-factor authentication. Users are offered (under threat of deleting the page) to challenge the alleged complaint of copyright infringement. On a fake account login page, they offer to enter a username, password and one-time code to log into the account.
In Finland flowed away details of at least 300 clients of the Vaastamo Psychotherapy Center. Some of the records got into the public domain, some patients are sent ransom demands of about 200 euros in cryptocurrency and threatened to publish sensitive information. Prior to this, cybercriminals tried to get money from the affected organization in the traditional way – they demanded almost half a million euros from it.
A slightly less dangerous use of personal data – attack to client accounts in the restaurant chain. The accounts of some clients were hijacked, most likely by the method of credential stuffing: the attackers were able to guess the password, since it was used in other, already hacked services. The result: a significant loss of money, as large orders were received on behalf of customers. Cybercriminals literally worked for food.
In the release of WordPress 5.5.2 shut down a critical vulnerability that allowed gaining control of an unpatched website. This is an infrequent case of a serious problem in CMS code, not third party plugins.