Google Unveils Unpatched and Poorly Fixed Windows 0-Day Vulnerability

Dec 24, 2020

Google’s Project Zero team has disclosed details about a poorly addressed zero-day security flaw in the Windows print spooler API, potentially allowing malicious actors to execute arbitrary code. The flaw was made public after Microsoft failed to resolve it within 90 days of responsible disclosure on September 24. Initially identified as CVE-2020-0986, the vulnerability involves an elevation of privilege exploit in the GDI Print / Print Spooler API (“splwow64.exe”) reported to Microsoft by an anonymous user collaborating with Trend Micro’s Zero Day Initiative (ZDI) in late December 2019. With no patch provided for nearly six months, ZDI publicly issued a zero-day advisory on May 19, which led to exploitation in a campaign known as “Operation PowerFall” targeting an unnamed South Korean company. “splwow64.exe” is a core Windows system binary that facilitates 32-bit application compatibility.

Google Exposes Unpatched Windows Zero-Day Vulnerability

On December 24, 2020, Google’s Project Zero disclosed details about a critical yet poorly patched zero-day vulnerability within the Windows print spooler API. This flaw opens the door for malicious actors to execute arbitrary code, creating significant risks for affected systems. The decision to make this information public follows Microsoft’s inability to implement a fix within the 90-day window provided after the initial responsible disclosure on September 24.

The vulnerability, identified as CVE-2020-0986, relates specifically to privilege escalation within the GDI Print / Print Spooler API, particularly the “splwow64.exe” process. Initially reported to the tech giant by an anonymous source collaborating with Trend Micro’s Zero Day Initiative in late December 2019, the urgency for a patch was evident. However, with no remedy forthcoming after six months, the Zero Day Initiative chose to issue a public advisory on May 19, which categorized the flaw as a zero-day.

The implications of this unaddressed security gap were soon evident, as it became part of the operational arsenal in a cyber attack campaign known as “Operation PowerFall.” This incident targeted an unnamed entity based in South Korea, showcasing the potential for widespread exploitation of the vulnerability in the absence of timely mitigation.

“Splwow64.exe,” a core Windows system binary that facilitates the interaction between 32-bit and 64-bit processes, plays a pivotal role in print services. Its compromise could allow attackers to escalate their privileges significantly, potentially gaining control over infected systems.

The tactics associated with this vulnerability align closely with the MITRE ATT&CK framework, where techniques such as initial access, privilege escalation, and execution come into play. Attackers likely exploited the privilege elevation aspect of the vulnerability to gain unauthorized access to sensitive resources. With the increasing threat landscape, this incident underscores the critical need for organizations to prioritize timely patch management and vulnerability assessments.

As the cybersecurity community continues to grapple with the ramifications of this zero-day, businesses are reminded of the vital importance of maintaining robust security hygiene. An unpatched vulnerability such as CVE-2020-0986 could serve not only as a vector for exploitation but also as a stark reminder of the risks associated with delayed patch implementation.

In conclusion, as vulnerabilities like this emerge, a proactive approach to cybersecurity will be essential for organizations looking to safeguard their digital infrastructures against increasingly sophisticated threats.

Source link

Related Posts

Google Docs Vulnerability Could Have Exposed Your Private Documents to Hackers

On December 29, 2020, a bug in Google’s feedback tool was patched, which could have allowed attackers to access sensitive screenshots of Google Docs by embedding the documents on malicious websites. Discovered by security researcher Sreeram KL on July 9, this flaw earned him a reward of $3,133.70 through Google’s Vulnerability Reward Program. The feedback feature, designed to let users report issues while optionally including screenshots, is implemented across various Google services. Instead of replicating this feature, Google utilizes an iframe element that pulls content from “feedback.googleusercontent.com,” thereby posing a security risk.

Warning: Publicly Available Exploit for SAP Solution Manager Vulnerability Discovered

Cybersecurity experts have issued a warning regarding a fully-functional exploit now circulating online, which targets SAP enterprise software. This exploit takes advantage of a vulnerability, identified as CVE-2020-6207, resulting from a lack of authentication checks in SAP Solution Manager (SolMan) version 7.2. SAP SolMan is a comprehensive application management solution that facilitates end-to-end application lifecycle management across distributed environments, serving as a central hub for managing SAP systems, including ERP, CRM, HCM, SCM, BI, and more. Researchers at Onapsis stated that successful exploitation could enable a remote, unauthenticated attacker to perform highly privileged administrative tasks within connected SAP SMD Agents, utilized for analyzing and monitoring SAP systems. This vulnerability has a critical CVSS base score of 10.0 and was addressed by SAP in a recent update.

Top 5 Bug Bounty Platforms to Watch in 2021

February 8, 2021

While Gartner has yet to establish a dedicated Magic Quadrant for Bug Bounty or Crowd Security Testing, its Peer Insights platform currently lists 24 vendors in the “Application Crowdtesting Services” category. We’ve identified the top 5 most promising bug bounty platforms for those looking to enhance their software testing strategies with insights and expertise from global security researchers:

  1. HackerOne
    As a leading name in the bug bounty space, backed by notable venture capitalists, HackerOne is widely recognized worldwide. According to their latest annual report, over 1,700 companies rely on HackerOne to strengthen their in-house application security testing. The report highlights that their security researchers earned around $40 million in bounties in 2019 alone, contributing to a cumulative total of $82 million. HackerOne is also known for coordinating bug bounty programs for the US government, among others.

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.