Apparently, Microsoft released a patch to fix the vulnerability in June but it did not work the way it was supposed to and remains unpatched to date.
While we expect large companies to effectively deal with bugs and patch them in time, sometimes they too can disappoint especially in Microsoft’s case which is something not surprising.
In the latest, it has been found that Google has publicly released the details of a zero-day vulnerability that Microsoft did not patch in time.
In the backstory, an anonymous researcher reported the flaw to Microsoft which concerned their Windows Print Spooler API last year in December. The flaw allowed threat actors to execute arbitrary code in kernel mode which could then be used to run malware on the victim’s machine endangering their security.
A patch was not issued even after 6 months after which a public advisory was released on May 19th, 2020. This led to a threat actor exploiting it in a series of attacks known as “Operation PowerFall.”
A patch was then finally released in June by Microsoft but apparently, it did not work the way it was supposed to.
Keeping this in mind, Google has finally revealed the details stating,
Just like CVE-2019-0880, this vulnerability allows the attacker to call memcpy with arbitrary parameters in the splwow64 privileged address space. The arbitrary parameters are sent in an LPC message to splwow64.
A tweet from Google Project Zero security researcher Maddie Stone in which she is talking about the background of the issue:
Showcasing how the entire attack would work, a proof of concept has been shown with details guiding one on how it can be run. The researcher Maddie Stone explains:
The POC is adapted from the POC released by Kaspersky for CVE-2020-0986. It triggers the memcpy vulnerability twice: first to leak the heap address where the message is stored and what the offset is added to to generate the pointers and then to do the write-what-where.
To conclude, currently, Microsoft is now working to fix the issue once again and we may hear from them in a couple of weeks. Whenever we do, we’ll update you on how it goes but regardless, this remains a lesson to properly test each vulnerability reported and fix it for once.