HomeWinBuzzer NewsMicrosoft Windows Zero Day Exploit Now in the Wild Says Google Project...

Microsoft Windows Zero Day Exploit Now in the Wild Says Google Project Zero

Google Project Zero has disclosed a Windows vulnerability just seven days after it was first discovered by the team.


(GPZ) has this week disclosed a vulnerability in that has already been exploited in the wild. According to the team, the zero-day allows bad actors to engage in privilege escalation and sandbox escape attacks, albeit only with local access.

This is the second -related disclosure from GPZ this week. On Monday, 's security team disclosed a vulnerability in GitHub after the Microsoft-owned service failed to issue a fix in time.

If you are unfamiliar with Google Project Zero, it is a security team that hunts for security holes in popular software solutions. When a vulnerability is found, Google gives developers 90 days to issue a fix. If no action is taken, Project Zero publicly discloses the flaw.

With the GitHub disclosure it made sense, there was no fix issued within 90 days. However, this new Windows vulnerability is different. In fact, GPZ is disclosing the problem just seven days after it was first found.

This clearly has given Microsoft little time to issue a patch and goes against Google Project Zero's usual methods. However, the team points out action was needed because the bug has already been exploited.


The zero-day (CVE-2020-17087) occurs in Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL). This is what Windows uses for input and output operations on devices that are outside normal system calls.

“[Cng.sys] exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” according to the bug report, published last Friday. “We have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.”

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” the Project Zero team adds. “The integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.”

Attacks are already happening, says Shane Huntley from Google's Threat Analysis Group. However, he points out they are not related to this week's U.S. Presidential election.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News