Windows 0-Day Bug, Poorly Patched, Now Unpatched, Reveals Google
A public disclosure of poorly patched security vulnerability in Windows print spooler API was made by Google’s Project Zero Team. This bug could be taken advantage of by attackers or hackers to perform arbitrary code execution.
The bug was disclosed to Microsoft in December 2019 by an unidentified user working with Trend Micro’s Zero Day Initiative (ZDI). The bug could allow the bad actors to exploit the Print Spooler API (“splwow64.exe”) also originally known as CVE-2020-0986.
Earlier this year, ZDI posted a public advisory as a zero-day in May as Microsoft was unable to come up with a patch even after a six-month period. Details and facts of the unpatched flaw or bug were made public on September 24 right after Microsoft failed to patch the bug in the 90 days after the responsible disclosure.
The Print Spooler API (“splwow64.exe”) is a Windows core system binary software that was used to connect the 32-bit applications to the 64-bit Printer Spooler on a 64-bit Windows Operating System. Other processes were able to access the printing functions by accessing the Local Procedure Call Server through the software.
An attacker or hacker after the successful exploitation of the Print Spooler (“splwow64.exe”) vulnerability, can take control of its on-going processes and manipulate the arbitrary code execution in kernel mode. Basically, an attacker or hacker could exploit it and use it to install malicious applications, which will further help the attacker to create new accounts with complete rights and manipulate data accordingly.
Moreover, to perform all these exploits the attacker needs to be logged onto the targeted system. However, the shortcoming of the bug’s June patch has been announced by Microsoft. At the same time, Google’s Project Zero’s latest findings reveal that the bug/flaw has not been taken care of completely. Only the manner of exploitation has changed and the exploits can still take place.
According to Maddie Stone, A researcher in Google’s Project Zero, an arbitrary pointer dereference could allow the attacker/hacker to control the source and destination pointers to memcpy, and the fix to this still allowed attackers to control args as the fix just changed the pointers to the offsets.
Microsoft promised an initial fix in November but was unable to do so because of the issues found in testing and is now being expected to be fixed by 12 January 2021.
Kaspersky released a proof-of-concept (POC) for CVE-2020-0986 on which was based the POC share by Maddie Stone, exploit code for CVE-2020-17008.
Maddie Stone also states that when zero-days aren’t fixed completely in time, attackers could create new zero-days with their new knowledge of exploit methods and vulnerabilities. If you like this article, follow us on Twitter, Facebook, Instagram and Linkedin.
