Google’s Project Zero team has revealed the existence of a vulnerability in the Windows operating systems, spanning from Windows 7 to the latest version of Windows 10, that attackers actively used in the wild.
Finding a vulnerability already used in the wild is the worst possible scenario. It’s bad enough to discover a severe vulnerability that no one is aware of, but finding one that’s was active for an unknown period is much, much worse.
Like many other vulnerabilities, this one is also about elevating privileges, meaning that attackers can get admin rights. Reports of the Zerologon vulnerability are still coming in, and another one is already on the radar.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” said Mateusz Jurczyk and Sergei Glazunov of Google Project Zero. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”
The team already provided a proof-of-concept that works on an up-to-date build of Windows 10 1903 (64-bit), but the researchers say the bug, and subsequently the vulnerability, is present at least from Windows 7. This, of course, complicates matters as it still has a sizeable market share (around 5 percent), and the operating system no longer receives updates.
Usually, when severe vulnerabilities appear, researchers and companies coordinate the disclosure so there’s ample time to release a patch, which usually sits at 90 days. But since the team says that they have evidence the bug is used in the wild, they only gave Microsoft seven days.
Revealing the vulnerability forces companies to take quick action and it allows network and IT admins to become aware of a potential problem. Ben Hawkes, the Project Zero’s technical lead, already said the exploitation has no relation to the upcoming November 3 US presidential election.
Microsoft should release a patch on November 10.