Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Security IT

Google Discloses Windows Zero-Day Exploited in the Wild (zdnet.com) 32

Security researchers from Google have disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation. From a report: The zero-day is expected to be patched on November 10, which is the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, team lead for Project Zero, Google's elite vulnerability research team. On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week. The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome's secure container and run code on the underlying operating system -- in what security experts call a sandbox escape.
This discussion has been archived. No new comments can be posted.

Google Discloses Windows Zero-Day Exploited in the Wild

Comments Filter:
  • by Presence Eternal ( 56763 ) on Friday October 30, 2020 @02:51PM (#60666748)

    I'm not a security expertologist, but I am pretty sure if something can escape your sandbox without some kind of hardware exploit, you did not actually make a sandbox.

    • Sort of like this one [wfcdn.com]?
    • by Myria ( 562655 ) on Friday October 30, 2020 @03:11PM (#60666810)

      I'm not a security expertologist, but I am pretty sure if something can escape your sandbox without some kind of hardware exploit, you did not actually make a sandbox.

      The bug is that the cng.sys Windows kernel driver doesn't validate its inputs from user mode correctly. cng.sys is the Windows driver that implements the equivalent of UNIX /dev/urandom.

      One major point of a sandbox is to limit the surface area that is attackable by a sandboxed program. Unfortunately, cryptographically secure random numbers are one feature that you want a sandbox to have access to, so even sandboxed programs can access cng.sys. This is similar to how /dev/urandom is still created in many chroot jails on UNIX. Imagine a bug in a /dev/urandom IOCTL; that's what this is.

      • Well that's just not on, is it! CNG is part of Windows' security, and bad guys aren't supposed to use Windows security components to break Windows security. There's a big "security line, do no cross" label attached to it, and all attackers should respect that and not attack beyond that point. It's just unsporting, I say.
  • by nazsco ( 695026 ) on Friday October 30, 2020 @02:53PM (#60666756) Journal

    Do not sugar coat it! The windows exploit is local and because you are running Google Chrome(tm) in trusted mode (because of auto-update?)

    The real problem here is Google Chrome running trusted code (windows equivalent as root) and a remote exploitable bug.

    • by nazsco ( 695026 )

      in other words: "It macromedia Flash all over again"!

    • > because you are running Google Chrome(tm) in trusted mode

      > The real problem here is Google Chrome running trusted code (windows equivalent as root)

      Maybe you could be a bit more clear what you mean by "trusted code".
      I'd say the Windows equivalent of root is System (for root on older *nix) or Administrator (for root on modern *nix).

      What, exactly, do you think is different about the context in which Chrome runs can calculator or notepad or anything else?

      • It occurs to me you may be thinking of .NET domains.
        If Chrome were a .NET application, you could put a sandbox around the sandbox. Is that what you have in mind?

    • No, you're not running Google Chrome in "trusted mode" (or with any special privilege). It actually runs most processes in an Untrusted or Low Integrity level, as one can see from a simple Process Explorer check (https://imgur.com/a/xJSf9AQ). The most privileged process Chrome runs is at Medium integrity, which is ordinary user privileges. Chrome uses multiple layers of sandboxing, including system call restrictions and Windows' ability to allow running processes to revoke access to resources by removing
  • Is Edge impacted?

    Seems like the sandbox is overfilled with cat excrement.

  • by awwshit ( 6214476 ) on Friday October 30, 2020 @03:09PM (#60666804)

    This problem will only get worse as Chrome/Chromium gain even more market share. IE6 all over again.

    • This problem will only get worse as Chrome/Chromium gain even more market share. IE6 all over again.

      One rendering engine. Chromium Edge is affected as well.

  • Have we become so PC that we cannot just say 'criminals' ? Or must everything be elevated to some version of a Tom Clancy worldview.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Friday October 30, 2020 @03:40PM (#60666888)
    Comment removed based on user account deletion
    • Lessor privileges. That's why it doesn't prompt. Uses your users perms.

    • Or because Chrome installs its updates into your local user area and Firefox installs itself system wide, so needs the higher permissions to update.

      The update process is also not the same as the browser process. Chrome has been doing process isolation since the beginning.

  • or use any Microsoft products anymore.
  • ... I still use my Spectrum ZX. Bloody printer is crap though.
  • Great. I'll just keep using Firefox for now.

  • So for protection from this the thing to ddo is uninstall Chrime?

    • by skids ( 119237 )

      No just to upgrade Chrome.

      There are two bugs. Any application using FreeType libraries is potentially vulnerable to the first one.

      It's unclear how many applications are vulnerable to the second one. Just about anything that needs access to that flavor of random number generator and can be tricked into sending it garbage, I guess. That won't be fixable until the 10th apparently.

No man is an island if he's on at least one mailing list.

Working...