Google Discloses Windows Zero-Day Exploited in the Wild (zdnet.com) 32
Security researchers from Google have disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation. From a report: The zero-day is expected to be patched on November 10, which is the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, team lead for Project Zero, Google's elite vulnerability research team. On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week. The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome's secure container and run code on the underlying operating system -- in what security experts call a sandbox escape.
You had one job (Score:3, Funny)
I'm not a security expertologist, but I am pretty sure if something can escape your sandbox without some kind of hardware exploit, you did not actually make a sandbox.
Re: (Score:2)
It's a Windows kernel driver bug (Score:5, Interesting)
I'm not a security expertologist, but I am pretty sure if something can escape your sandbox without some kind of hardware exploit, you did not actually make a sandbox.
The bug is that the cng.sys Windows kernel driver doesn't validate its inputs from user mode correctly. cng.sys is the Windows driver that implements the equivalent of UNIX /dev/urandom.
One major point of a sandbox is to limit the surface area that is attackable by a sandboxed program. Unfortunately, cryptographically secure random numbers are one feature that you want a sandbox to have access to, so even sandboxed programs can access cng.sys. This is similar to how /dev/urandom is still created in many chroot jails on UNIX. Imagine a bug in a /dev/urandom IOCTL; that's what this is.
Re: (Score:2)
I read the articles rather quickly and did not see that. All I noticed was something about about font rendering.
Wrong bug; that's the Chrome bug. Exploiting it gets you a chance to exploit the Windows kernel bug, which then lets you break out of the sandbox: https://bugs.chromium.org/p/pr... [chromium.org]
Re: (Score:1)
Not Windows, Chrome remote exploit! (Score:4, Insightful)
Do not sugar coat it! The windows exploit is local and because you are running Google Chrome(tm) in trusted mode (because of auto-update?)
The real problem here is Google Chrome running trusted code (windows equivalent as root) and a remote exploitable bug.
Re: (Score:3)
in other words: "It macromedia Flash all over again"!
Re: (Score:2)
Not so easy, actually. Microsoft and macOS updates are signed by Microsoft and Apple, respectively, and verified by the associated update daemon for each.
If applications were to use them, then Microsoft and Apple would have to figure out a way to pass on signed updates - Apple can do this via the App Store method where they approve the apps and then cro
Maybe you could clarify (Score:2)
> because you are running Google Chrome(tm) in trusted mode
> The real problem here is Google Chrome running trusted code (windows equivalent as root)
Maybe you could be a bit more clear what you mean by "trusted code".
I'd say the Windows equivalent of root is System (for root on older *nix) or Administrator (for root on modern *nix).
What, exactly, do you think is different about the context in which Chrome runs can calculator or notepad or anything else?
Re: (Score:2)
It occurs to me you may be thinking of .NET domains. .NET application, you could put a sandbox around the sandbox. Is that what you have in mind?
If Chrome were a
For the sake of accuracy... (Score:2)
I guess someone has to ask (Score:2)
Is Edge impacted?
Seems like the sandbox is overfilled with cat excrement.
one browser (Score:3)
This problem will only get worse as Chrome/Chromium gain even more market share. IE6 all over again.
Re: (Score:2)
This problem will only get worse as Chrome/Chromium gain even more market share. IE6 all over again.
One rendering engine. Chromium Edge is affected as well.
Threat actors ? (Score:2)
Have we become so PC that we cannot just say 'criminals' ? Or must everything be elevated to some version of a Tom Clancy worldview.
Re: (Score:2)
It's not a crime if you're the government...
Comment removed (Score:4, Interesting)
Re: The question is.. (Score:1)
Lessor privileges. That's why it doesn't prompt. Uses your users perms.
Re: (Score:2)
Or because Chrome installs its updates into your local user area and Firefox installs itself system wide, so needs the higher permissions to update.
The update process is also not the same as the browser process. Chrome has been doing process isolation since the beginning.
Sure glad I don't run (Score:1)
Good job... (Score:2)
So...Firefox is unaffected? (Score:1)
Great. I'll just keep using Firefox for now.
Uinstall Chrome? (Score:1)
So for protection from this the thing to ddo is uninstall Chrime?
Re: (Score:3)
No just to upgrade Chrome.
There are two bugs. Any application using FreeType libraries is potentially vulnerable to the first one.
It's unclear how many applications are vulnerable to the second one. Just about anything that needs access to that flavor of random number generator and can be tricked into sending it garbage, I guess. That won't be fixable until the 10th apparently.