Windows zero-day with bad patch gets new public exploit code


Level 73
Content Creator
Malware Hunter
Aug 17, 2014
Back in June, Microsoft released a fix for a vulnerability in the Windows operating system that enabled attackers to increase their permissions to kernel level on a compromised machine. The patch did not stick.
The issue, which advanced hackers exploited as a zero-day in May, is still exploitable but by a different method as security researchers demonstrate with publicly available proof-of-concept code.
Google Project Zero security researcher Maddie Stone discovered that Microsoft’s patch in June did not fix the original vulnerability (CVE-2020-0986) and it can still be leveraged with some adjustments.
Stone says that an attacker can still trigger CVE-2020-0986 to increase their permissions to kernel level by sending an offset instead of a pointer.
On Twitter, the researcher spells it out saying that the original bug was an arbitrary pointer dereference allowing an attacker to control the “src” and “dest” pointers to a memcpy function.
Microsoft’s patch was improper because it changed the pointers to offsets, so the function’s parameters could still be controlled.
In a short, technical report today, she explains how to trigger the vulnerability, now identified as CVE-2020-17008 [...]


Level 40
Jan 9, 2020

2020-09-24 Reported issue to MSRC
2020-09-25 Issue accepted by MSRC and assigned MSRC-61253
2020-10-27 Microsoft assigns CVE-2020-17008 for this issue, noting that while the fix was planned for November, that has slipped to December.
2020-12-03 Microsoft advises that due to issues identified in testing, the fix will now slip to January 2021.
2020-12-08 Meeting between MSRC and Project Zero leadership to determine details and discuss next steps. The 14-day grace period is unavailable as Microsoft do not plan to patch this issue before Jan 6 (next patch Tuesday is Jan 12).
2020-12-23 90 day deadline exceeded - derestricting issue.

Let's hope this doesn't get abused until Jan 12.


Level 48
Content Creator
Apr 24, 2016
We'll try to spare you the nitty-gritty details as usual by presenting you a simplified meat-of-the-matter statement as follows: A malicious process can send Local Procedure Call (LPC) messages to the splwow64.exe Windows process, through which an attacker can write an arbitrary value to an arbitrary address in splwow64's memory space. This essentially means that the attacker controls this destination address and any contents that get copied to it.

The flaw in question isn't exactly new. In fact, a security researcher at Kaspersky reported it earlier this year and Microsoft patched it back in June. However, this patch has now been determined as incomplete by Google Project Zero's Maddie Stone, who says that Microsoft's fix only changes the pointers to an offset, which means that an attacker can still exploit it using the offset value.

The zero-day was reported privately to Microsoft by Google Project Zero on September 24, with the standard 90-day deadline set to expire on December 24. Microsoft initially planned to release a fix in November, but that release time frame then slipped to December. After that, it told Google that it had identified new problems in its testing, and it will now release a patch in January 2021.

On December 8, the two parties met to discuss progress and next steps, where it was determined that the 14-day grace period cannot be offered to Microsoft since the company plans to release the patch on Patch Tuesday on January 12, 2021, six days over the grace period deadline. Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code. The technical report is unclear which versions of Windows this affects, but Kaspersky's report from a few months ago indicates that attackers have been using it to target new builds of Windows 10.