A previously unknown Windows “zero-day” flaw is being exploited by hackers, but Microsoft won’t likely be fixing it until the middle of next month. The vulnerability affects Windows 7 through Windows 10.
So say the researchers at Google’s Project Zero, who also revealed that the Windows exploit is just the second step in a one-two punch being used by remote attackers to take over PCs. The first step is a Chrome flaw that was disclosed (and patched) last week.
“Currently we expect a patch for this [Microsoft] issue to be available on November 10,” or the next Microsoft Patch Tuesday, tweeted Project Zero technical lead Ben Hawkes. “We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.”
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.October 30, 2020
The Windows exploit requires local access, i.e. by a person or software who already has access to the machine, so by itself it’s not such an immediate threat.
But the Chrome flaw it was combined with is remotely exploitable, which makes things much worse. A malicious email attachment or website could use the Chrome flaw to escape the browser “sandbox” and then use the Windows flaw to take over the machine.
The exploit messes with the numerical inputs in a cryptography driver, letting the attacker overwrite some memory sectors and run their own code. Project Zero’s Mateusz Jurczyk and Sergei Glazunov posted proof-of-concept code that would cause a system crash on the official Project Zero blog, but it appears that more nefarious results are possible.
Asked about this by Tom’s Guide, Microsoft replied with the following statement.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
How to protect yourself against this Windows zero-day
Until Microsoft releases a patch, the best way to protect yourself against this Windows flaw is, ironically, to update Chrome, Edge, Brave, Opera, Vivaldi and other Chromium-based browsers to the latest version.
In Chrome and many other browsers, you just need to click the Settings icon at the top right of the browser window — it will look like three lines or three dots — and then scroll down to Help or About.
Once you find About, click that, and a new tab will open up that will automatically check for an update. If one is available, the browser will download the update and prompt you to restart.
The latest version of Brave and Chrome is 86.0.4240.111. In Edge, it’s 86.0.622.58. (The latter includes the Chromium security fix, per a Microsoft security advisory.)
You’ll also want to be running some of the best antivirus software. Until now, these two flaws have been used in targeted attacks against selected individuals or organizations, presumably by nation-state attackers or well-funded criminal groups.
But now that the secret is out, it’s possible that malware operators could incorporate this Windows exploit into their own bags of tricks. If they can get the malware on your machine by other means, they won’t need to use the Chrome exploit.
Is seven days really enough to fix a flaw?
So why has Google disclosed, and demonstrated an exploit for, a vulnerability that probably won’t be fixed until November’s Patch Tuesday? It’s all part of Google’s stringent policy regarding actively exploited flaws.
“We have evidence that the following bug is being used in the wild,” reads a disclaimer at the top, and also at the bottom, of the Project Zero post. “Therefore, this bug is subject to a 7-day disclosure deadline.”
In other words, Google implies that Microsoft was told of this flaw on Oct. 22, the same day that the Project Zero blog post was authored. (The blog post was kept private until noon Eastern time today, Oct. 30.)
Now that the seven days are up, Google’s reasoning goes, the world should know so that Windows users can appropriately protect themselves.
Such transparency doesn’t always sit well with the companies whose dirty laundry is revealed. Microsoft has complained before, most notably in 2015 when Google disclosed Windows vulnerabilities two days before they were due to be patched.
Last year, Apple lashed out at Google for detailing half a dozen flaw in iOS that were used for years by Chinese authorities to spy on the iPhones of ethnic minorities. Never mind that Google had waited six months until after Apple fixed things to go public.