{"id":1128,"date":"2020-12-24T16:58:09","date_gmt":"2020-12-24T16:58:09","guid":{"rendered":"https:\/\/zerothcode.com\/blog\/?p=1128"},"modified":"2020-12-24T16:58:09","modified_gmt":"2020-12-24T16:58:09","slug":"google-discloses","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/google-discloses\/","title":{"rendered":"Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug"},"content":{"rendered":"<p>Google&#8217;s Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.<\/p>\n<p>Details of the unpatched flaw were revealed publicly after Microsoft failed to patch it within 90 days of responsible disclosure on September 24.<\/p>\n<h5>Originally tracked as CVE-2020-0986, google<\/h5>\n<p>the flaw concerns an elevation of privilege exploits in the GDI Print \/ Print Spooler API (&#8220;splwow64.exe&#8221;) that was reported to Microsoft by an anonymous user working with Trend Micro&#8217;s Zero Day Initiative (ZDI) back in late December 2019.<\/p>\n<p>But with no patch in sight for about six months, ZDI ended up posting a public\u00a0advisory\u00a0as a zero-day on May 19 earlier this year,<\/p>\n<p>after which it was\u00a0exploited\u00a0in the wild in a campaign dubbed &#8220;Operation powerful&#8221; against an unnamed South Korean company.<\/p>\n<p>&#8220;splwow64.exe&#8221; is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems.<\/p>\n<p>It implements a Local Procedure Call (LPC) server that can be used by other processes to access printing functions.<\/p>\n<div class=\"separator\"><a href=\"https:\/\/thehackernews.com\/images\/-2-ux57hW8ck\/X-RaBqZDyzI\/AAAAAAAA3fU\/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ\/s0\/tweet.jpg\"><img decoding=\"async\" src=\"https:\/\/thehackernews.com\/images\/-2-ux57hW8ck\/X-RaBqZDyzI\/AAAAAAAA3fU\/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ\/s0\/tweet.jpg\" alt=\"\" border=\"0\" data-original-height=\"383\" data-original-width=\"728\" \/><\/a><\/div>\n<p>Successful exploitation of this vulnerability could result in an attacker manipulating the memory of the &#8220;splwow64.exe&#8221; process to achieve execution of arbitrary code in kernel mode,<\/p>\n<p>ultimately using it to install malicious programs; view, change, or delete data; or create new accounts with full user rights.<\/p>\n<p>However, to achieve this, the adversary would first have to log on to the target system in question.<\/p>\n<p>Although Microsoft eventually\u00a0addressed\u00a0the shortcoming as part of its June Patch Tuesday update, new findings from Google&#8217;s security team reveals that the flaw has not been fully remediated.<\/p>\n<p>&#8220;The vulnerability still exists, just the exploitation method had to change,&#8221; Google Project Zero researcher Maddie Stone\u00a0said in a write-up.<\/p>\n<p>&#8220;The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,&#8221; Stone\u00a0detailed.<\/p>\n<p>&#8220;The &#8216;fix&#8217; simply changed the pointers to offsets, which still allows control of the args to the memcpy.&#8221;<\/p>\n<p>The newly reported elevation of privilege flaw, identified as CVE-2020-17008, is expected to be resolved by Microsoft on January 12, 2021, due to &#8220;issues identified in testing&#8221; after promising an initial fix in November.<\/p>\n<p>Stone has also shared a proof-of-concept (POC) exploit code for CVE-2020-17008, based on a POC released by Kaspersky for CVE-2020-0986.<\/p>\n<p>&#8220;There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely,&#8221; Stone\u00a0said.<\/p>\n<p>&#8220;When [in the wild] zero-days aren&#8217;t fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new 0-days.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google&#8217;s Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API<\/p>\n","protected":false},"author":1,"featured_media":1129,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[65,352,180,967],"class_list":["post-1128","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1128"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1128\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1129"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1128"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}