Windows Zero-Day Still Circulating After Faulty Fix

windows zero-day, CVE-2020-0986

The LPE bug could allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.

A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a “fix” from Microsoft failed to adequately patch it.

The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user, according to Microsoft’s advisory issued in June. An attacker would first have to log on to the system, but could then run a specially crafted application to take control of an affected system.

“The issue arises because the Windows kernel fails to properly handle objects in memory,” the firm said. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

2020 Reader Survey: Share Your Feedback to Help Us Improve

The bug rates 8.3 out of 10 on the CVSS vulnerability-severity scale.

From a more technical perspective, “the specific flaw exists within the user-mode printer driver host process splwow64.exe,” according to an advisory from Trend Micro’s Zero Day Initiative (ZDI), which reported the bug to Microsoft last December. “The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer.”

The issue remained unpatched for six months. In the meantime, Kaspersky observed it being exploited in the wild in May against a South Korean company, as part of an exploit chain that also used a remote code-execution zero-day bug in Internet Explorer. That campaign, dubbed Operation Powerfall, was believed to be initiated by the advanced persistent threat (APT) known as Darkhotel.

Microsoft’s June update included a patch that “addresses the vulnerability by correcting how the Windows kernel handles objects in memory.” However, Maddie Stone, researcher with Google Project Zero, has now disclosed that the fix was faulty, after Microsoft failed to re-patch it within 90 days of being alerted to the problem.

“Microsoft released a patch in June, but that patch didn’t fix the vuln,” she tweeted on Wednesday. “After reporting that bad fix in Sept. under a 90-day deadline, it’s still not fixed.”

She added, “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

Microsoft has issued a new CVE, CVE-2020-17008, and researchers expect a patch in January. Project Zero meanwhile has issued public proof-of-concept code for the issue.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

 

Suggested articles

Discussion

  • anon on

    Google Project Zero, ah yes, the political arm of Google which periodically releases Windows Zero days when bad news about Google starts to surface. Try searching for "A Google Docs Bug Could Have Allowed Hackers See Your Private Documents". Odd that they conveniently found issue with Microsoft Windows just a mere five days before their own ecosystem caught fire. Question: How many other non disclosed Zero days has the Google team found and why are they reporting them only when bad news lands on their own doorstep? When are they going to report the rest?
  • Pete P. on

    Aside from revealing a chip on your shoulder and remarkable pettiness, your comment implies that the threat is not as serious as indicated and suggests that the expiration of a 90-day notice was not the driver of the public revelation. Both are without justification and only help to erode computing security.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.