0-day in the Windows kernel is being actively exploited

An unpatched 0-day vulnerability has been discovered and is being actively exploited, affecting the Microsoft operating system kernel and allowing privilege escalation on compromised machines.

Mateusz Jurczyk and Sergei Glazunov from Google's Project Zero team have discovered a vulnerability in the Windows kernel that is currently being actively exploited. The security flaw resides in the Windows kernel cryptography driver implementation (cng.sys), which performs incorrect truncation of 16-bit integers that could trigger a buffer overflow. This vulnerability has been identified as CVE-2020-17087.

The Windows kernel cryptography driver exposes a CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. This would allow malicious software or an attacker who has infiltrated the system to exploit the flaw to elevate privileges and gain administrator access on compromised machines.

Project Zero privately disclosed the vulnerability details to Microsoft on October 22nd. However, they decided to make them public just one week later, after detecting that the programming error was being exploited by malicious actors.

Google researchers have developed a proof of concept (PoC) tested on Windows 10 1903 (64-bit). However, they state that versions from Windows 7 through the latest released version of Windows 10 are affected, as the file cng.sys appears to have been present since at least Windows 7. This would suggest that older versions, already out of official support, could also be affected by the vulnerability.

In a statement, Microsoft declared that the company is already working on a fix for this vulnerability. Therefore, it is plausible to expect a patch on Tuesday, November 10, 2020, within the company's regular "Patch Tuesday" cycle.

More information:
Google discloses Windows zero-day exploited in the wild
https://www.zdnet.com/article/google-discloses-windows-zero-day-exploited-in-the-wild/