A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a “fix” from Microsoft failed to adequately patch it.
The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user, according to Microsoft’s advisory issued in June. An attacker would first have to log on to the system, but could then run a specially crafted application to take control of an affected system.
“The issue arises because the Windows kernel fails to properly handle objects in memory,” the firm said. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The bug rates 8.3 out of 10 on the CVSS vulnerability-severity scale.
From a more technical perspective, “the specific flaw exists within the user-mode printer driver host process splwow64.exe,” according to an advisory from Trend Micro’s Zero Day Initiative (ZDI), which reported the bug to Microsoft last December. “The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer.”
The issue remained unpatched for six months. In the meantime, Kaspersky observed it being exploited in the wild in May against a South Korean company, as part of an exploit chain that also used a remote code-execution zero-day bug in Internet Explorer. That campaign, dubbed Operation Powerfall, was believed to be initiated by the advanced persistent threat (APT) known as Darkhotel.
Microsoft’s June update included a patch that “addresses the vulnerability by correcting how the Windows kernel handles objects in memory.” However, Maddie Stone, researcher with Google Project Zero, has now disclosed that the fix was faulty, after Microsoft failed to re-patch it within 90 days of being alerted to the problem.
“Microsoft released a patch in June, but that patch didn’t fix the vuln,” she tweeted on Wednesday. “After reporting that bad fix in Sept. under a 90-day deadline, it’s still not fixed.”
She added, “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!