Google Project Zero is quite well-known for discovering vulnerabilities in the software developed by the company itself as well as those built by other firms. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period.
The security team has discovered and disclosed multiple security flaws in the past few years following the vendor’s inability to patch them in a timely manner. This includes Qualcomm’s Adreno GPU drivers, Microsoft’s Windows, Apple’s macOS, and more. Now, it has publicly disclosed a security bug in Windows which, if exploited, can lead to elevation of privilege.
We’ll try to spare you the nitty-gritty details as usual by presenting you a simplified meat-of-the-matter statement as follows: A malicious process can send Local Procedure Call (LPC) messages to the splwow64.exe Windows process, through which an attacker can write an arbitrary value to an arbitrary address in splwow64’s memory space. This essentially means that the attacker controls this destination address and any contents that get copied to it.
The flaw in question isn’t exactly new. In fact, a security researcher at Kaspersky reported it earlier this year and Microsoft patched it back in June. However, this patch has now been determined as incomplete by Google Project Zero’s Maddie Stone, who says that Microsoft’s fix only changes the pointers to an offset, which means that an attacker can still exploit it using the offset value.
The zero-day was reported privately to Microsoft by Google Project Zero on September 24, with the standard 90-day deadline set to expire on December 24. Microsoft initially planned to release a fix in November, but that release time frame then slipped to December. After that, it told Google that it had identified new problems in its testing, and it will now release a patch in January 2021.
On December 8, the two parties met to discuss progress and next steps, where it was determined that the 14-day grace period cannot be offered to Microsoft since the company plans to release the patch on Patch Tuesday on January 12, 2021, six days over the grace period deadline. Stone has stated that while she doesn’t think that an incomplete fix deserves a new 90-day deadline, this has still been followed as the default since Google’s current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year but has publicly disclosed the vulnerability with proof-of-concept code. The technical report is unclear which versions of Windows this affects, but Kaspersky’s report from a few months ago indicates that attackers have been using it to target new builds of Windows 10.