Microsoft releases patch for Windows zero-day flaw found by Google

Last month, security researchers at Google's Project Zero released details of a zero-day vulnerability in Windows that was being actively exploited.

Hacklers were taking advantage of a Windows Kernel Cryptography Driver security flaw (CVE-2020-117087) to gain elevated privileges in Windows 7, 8, and 10, as well as Windows Server 2008 and higher. As part of yesterday's Patch Tuesday release, Microsoft has now issued a fix for the vulnerability.

See also:

• Microsoft is going to forcibly upgrade systems running old versions of Windows 10
• Microsoft may have dropped Office 2010 but 0patch will still offer security patches
• Thunderbolt NVMe SSDs are causing problems in Windows 10

Known as the "Windows Kernel Local Elevation of Privilege Vulnerability", CVE-2020-17087 was revealed to Microsoft back on October 22. Ordinarily, Project Zero would implement a 90-day grace period before going public with details of a vulnerability, but reduced this to just seven days due to the fact it was in the wild.

The Project Zero team explained:

The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).

Over on the MSRC portal, Microsoft acknowledges the work done by Mateusz Jurczyk and Sergei Glazunov of Google Project Zero to bring the vulnerability to its attention. Links to the patches for different versions of Windows and Windows Server can be found on the same page.

Image credit: Walter Cicchetti / Shutterstock