Microsoft fixes Windows zero-day disclosed by Google last month

silversurfer

Level 69
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,831
Microsoft has fixed today a Windows kernel zero-day vulnerability exploited in the wild as part of targeted attacks and publicly disclosed by Project Zero, Google's 0day bug-hunting team, last month.

According to Project Zero researchers Mateusz Jurczyk and Sergei Glazunov who discovered it, the security flaw currently tracked as CVE-2020-17087 is a pool-based buffer overflow found in the Windows Kernel Cryptography Driver (cng.sys).

"The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," the researchers explained.

Microsoft tagged the bug with a CVSS:3.0 severity rating of 7.8/10 saying that it can be exploited by local attackers with low privileges for privilege escalation (including sandbox escape) in low complexity attacks not requiring user interaction.

CVE-2020-17087 affects desktop systems running Windows 7 or later and servers running Windows Server 2008 and higher.

Security updates for all impacted Windows platforms are available on Microsoft's MSRC (Microsoft Security Response Center) portal.
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,237

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,237

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
After the reboot today i got this popup in blocked Anti-Ransomware from Defender:
MoUsoCoreWorker.exe

This is related to Windows Update and i really think why this needs to be allowed/ is blocked or at least reported.
@Andy Ful
It was detected and blocked by Controlled Folder Access. I have whitelisted this item.

CFA did not block MoUsoCoreWorker.exe, but only blocked the attempt to access the disk by this process.
This can be probably ignored - if such a block could cause the issues it would be noticed by Microsoft.
Anyway, until we do not understand well what happened it is better to add an exclusion in CFA.:)(y)
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,237
What's the KB?
From here:
To here:
To find the KB...
For 20H2 it's KB4586781
You can find the others in that second link.
 
Top