Google’s Project Zero discloses Windows 0day that’s been under active exploit

[Progman]

https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/

"

CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. Friday's post indicated the flaw is in Windows 7 and Windows 10, but made no reference to other versions.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” Friday’s Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).” "

[deepzero]

Why do they put cryptography providers into the kernel and make it available from  sandboxes... ?

[Progman]

I guess for convenience.  They have to have a kernel crypto layer to support things like signed drivers or avoiding key exposure.

They would have to have a redundant copy of all the crypto code in user mode otherwise.  And still if it uses stored passwords or the like, the kernel might offer greater credential protection than administrator privileges.

It's a practical design decision OSes need to make.  But an important one and complicated data structures in the kernel have invariably always had exploits.  The code should be critical system tested with formal proofs.  Certainly security is not done well in consumer hardware or software at all these days.  And probably deliberately.  Makes things more dangerous yet more interesting.

Big surveillance is getting their way still.  Nowadays they can hack the hardware directly if they have a high enough security clearance whether the CPU management system, the chipset, the WiFi chip BIOS, the motherboard BIOS, etc.  But lower down in the system law enforcement agencies will have to that go after the software.  Stuff that can be used in court which is not what spy agencies care about.  They want ever layer to be flawed and allow for a security hierarchy to each get access at the appropriate level.

Even the best leaks we have seen are low down stuff.  Not a single leak of the serious stuff ever in the last century that stuck around at least.  Makes you wonder how sophisticated the technology needed to run an empire in a world where the average person has a PC and smartphone capable of billions of computations per second.  Hovercrafts and teleportation would barely even be enough to hold an empire together based on a power pyramid of corrupt slaves.  Yet here we are

Edited November 3, 2020 by Progman