Google’s Project Zero has disclosed the details of a Windows 0-day vulnerability under active attack which affects all versions from Windows 7 through to Windows 10. No patch is yet available from Microsoft but one is expected in the November 2020 patch Tuesday updates.

Last week we published details of a Chrome Browser 0-day vulnerability that was fixed by Google and was related to a flaw in the FreeType library.  That vulnerability provided the means to execute arbitrary code on the target system, and with the new disclosure from Google the second shoe drops as this Windows vulnerability is being chained with the FreeType bug to provide the escalation of privilege needed for an effective attack.

According to Google’s disclosure the Windows vulnerability is in the Windows Kernel Cryptography Driver (cng.sys).

Project Zero says they took the unusual step of disclosing the vulnerability after just 7 days instead of waiting the usual 90 days because: “We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline.”

Malicious users often need to exploit a series of vulnerabilities in order to attack modern software systems, a process known as chaining.  Each vulnerability on its own may not be particularly dangerous, but by using several in a sequence the cumulative effect can result in the ability to run arbitrary code with administrator privileges and so gain a powerful foothold on one system from which an attack can be launched against the whole network.  This is why it is important to apply all security patches promptly when they are released – even if the risk the vulnerability poses is not immediately obvious.  The danger comes when several vulnerabilities are combined in creative and unexpected ways by attackers.