Tutorials Unpatched Windows 0-Day Bug Is Being Actively Exploited

[RankBit]

A zero-day flaw has been recently reported in Microsoft Windows operating system (OS) that is allegedly being
actively abused in the wild.

• What is the vulnerability?

The bug, assigned the identifier CVE-2020-17087, exists due to the Windows Kernel Cryptography Driver
(cng.sys) revealing a \Device\CNG device to user-mode programs and supporting various IOCTLs with nontrivial input structures. Specifically, the problem is present in the cng!CfgAdtpFormatPropertyBlock function
due to a 16-bit integer truncation issue that might pave the way for a local exploitation to empower the threat
actors to escalate their privileges and escape security measures such as a sandbox.

• What are the affected versions?

This flaw is reported to affect Windows versions from Windows 7 to the updated Windows 10 1903 (64-bit)
build.

• Is the bug being exploited?

This vulnerability is indeed being actively exploited in attacks.
Any patch?

Google’s Project Zero team, who discovered this bug, has already reported this issue to Microsoft who,
unfortunately, is yet to release a patch to address the security hole. However, it is expected that the tech giant
will probably roll out a concerned security update in its next Patch Tuesday release scheduled on 10th November
2020.

 

[RankBit]

Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows.

Researchers at Sangfor published the PoC, in what appears to have been a mistake, or a miscommunication between the researchers and Microsoft. The test code was quickly deleted, but not before it had already been forked on GitHub.

Sangfor researchers had been planning to detail multiple 0-day vulnerabilities in the Windows Print Spooler service at the annual Black Hat security conference later this month. It appears the researchers thought Microsoft had patched this particular vulnerability, after the company published patches for a separate Windows Print Spooler flaw.

It has taken Microsoft a couple of days to finally issue an alert about the 0-day, and Bleepingcomputer reports that the company is even warning customers that it’s being actively exploited. The vulnerability allows attackers to use remote code execution, so bad actors could potentially install programs, modify data, and create new accounts with full admin rights.
Microsoft admits “the code that contains the vulnerability is in all versions of Windows,” but it’s not clear if it’s exploitable beyond server versions of Windows. The Print Spooler service runs by default on Windows, including on client versions of the OS, Domain Controllers, and many Windows Server instances, too.
Microsoft is working on a patch, but until it’s available the company recommends disabling the Windows Print Spooler service (if that’s an option for businesses), or disabling inbound remote printing through Group Policy. The Cybersecurity and Infrastructure Security Agency (CISA) has recommended that admins “disable the Windows Print Spooler service in Domain Controllers and systems that do not print.”
Vulnerabilities in the Windows Print Spooler service have been a headache for system administrators for years. The most infamous example was the Stuxnet virus. Stuxnet used multiple 0-day exploits, including a Windows Print Spooler flaw, to destroy several Iranian nuclear centrifuges more than a decade ago.

---