Microsoft and Google are competitors. But when finding bugs, even competitors should behave like any ethical security researcher because it concerns end users.
This time, researchers at Google has disclosed an unpatched zero-day vulnerability that is being actively targeted and exploited by hackers in the wild. The vulnerability affects all Windows version from 7 to 10. Microsoft has then confirmed this.
Microsoft was first informed of the vulnerability by Google's Project Zero team, a dedicated unit comprised of bug hunters, specialized in tracking zero-day vulnerabilities. Because Project Zero had identified that the security problem was being actively exploited in the wild by attackers, the researchers gave Microsoft a deadline of just seven days to fix it before disclosure.
Unfortunately for Microsoft, the company failed to issue a security patch within that short timeframe.
Because of this, Google had no way but to go ahead and published the details of the zero-day vulnerability.
The vulnerability that has no name, is tracked as CVE-2020-17087.
The bug itself resides deep within the Windows Kernel Cryptography Driver, or also known as cng.sys.
The bug is a memory buffer-overflow problem that could give hackers increased privileges when accessing a target Windows machine. And if the hackers exploit the Windows vulnerability in conjunction with a separate bug in Chrome, which Google has disclosed and fixed, this bug would allow hackers to escape Chrome’s sandbox.
This allows hackers to also run malware on the operating system.
According to Project Zero’s technical lead Ben Hawkes, there is no clear way of knowing who is using the zero-day bug. But it should be noted that most zero-days are discovered by state-sponsored hacking groups or large cybercriminal groups.
In a tweet, Hawkes said that Microsoft plans to issue a patch on November 10.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
While hackers are known to be actively targeting Windows systems using this bug, it doesn't mean that people should be worried.
First, Shane Huntley, director of Google's Threat Analysis Group, said that hackers exploiting the vulnerability are not targeting any U.S. election-related systems at this point. Second, Microsoft that has confirmed that the reported attack is real, said that the bug is exploited in a very limited scope.
Another way of saying it, the bug is not widespread.
Further more, Microsoft has also confirmed that the vulnerability cannot be exploited to affect cryptographic functionality.
In general, rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch. This is because by making the information pubic, hackers could take advantage of the information to exploit the bug to their own advantages.
And Google's seven days deadline is its reasoning that after each passing day, an actively exploited vulnerability that remains undisclosed to the public and unpatched would result in more compromised computers.
The idea behind the brief disclosure time for an actively exploited vulnerability is that the public pressure would force Microsoft to fix the vulnerability.
And this, at least according to Google, could make all the difference in the vendor taking it seriously.
A Microsoft spokesperson said that "while we work to meet all researchers' deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."