Security Week 45: tandem of vulnerabilities in Windows 10 and Chrome
Last week, the Google Project Zero team disclosed the details of a vulnerability in Windows 10 that allows an attacker to gain system privileges on a victim’s computer.The surprising thing about the problem is that it was used in a real attack in combination with another, also recently found vulnerability in the Google Chrome browser. They found a bug in the FreeType font handler (already closed), which allowed to escape from the sandbox. A couple of vulnerabilities, respectively, made such a scenario possible: the victim is lured to an infected web page, attackers run code outside the browser’s secure environment, and a vulnerability in Windows gives them full control over the system.
This scenario is speculative: Google does not disclose the details of the attack itself. At the same time, the Project Zero team applied the zero-day vulnerability disclosure rule and gave Microsoft only seven days to release the patch. At the time of publication, the patch for Windows is not yet available: it will most likely be included in the regular set of updates, scheduled for November 10. Traditionally, there was a rather caustic exchange of views: Microsoft believes that Google’s security officers could have tolerated the publication, Project Zero is confident that they are encouraging vendors to release a patch faster – perhaps even outside the standard schedule.
Sources
Bug in Windows 10: article ArsTechnica, technical information…
Vulnerability in Google Chrome: technical data and discussion in the Project Zero bug tracker.
Vulnerability CVE-2020-117087 affects at least Windows 10 and Windows 7. It is present in one of the system functions for data encryption. An error in information processing causes a buffer overflow and creates conditions for the execution of arbitrary code with system privileges. The Project Zero technical article shows the logic of the vulnerable function in pseudocode, and also includes a PoC script that causes the system to crash.
In turn, the vulnerability in the Chrome browser most likely affects other browsers based on the Blink engine. Probably not just browsers: bug found in code third party library… Interestingly, Microsoft does not confirm active exploitation of the vulnerability in Windows, while Google believes otherwise. If the real attack did take place (information about it was not disclosed), then in any case its initial stage was the Chrome browser. A vulnerability patch in the FreeType library made this particular attack method impossible. That, of course, does not exclude the possibility of exploiting the vulnerability in Windows in other ways.
What else happened:
Kaspersky Lab experts published report on DDoS attacks in the third quarter of this year. The total number of campaigns has significantly decreased compared to the previous period, in which an abnormally high activity of cybercriminals was recorded, apparently associated with a pandemic.
At Sophos report about Facebook’s password phishing technique that attempts to bypass two-factor authentication. Users are offered (under threat of deleting the page) to challenge the alleged complaint of copyright infringement. On a fake account login page, they offer to enter a username, password and one-time code to log into the account.
