Microsoft’s API has an unpatched vulnerability that was recently reported by Google.
Microsoft claimed that the vulnerability was patched by them in June but reports have suggested that the patch did not work as expected. Windows Print Spooler API is the one in question and the flaw allowed threat actors to execute arbitrary code in kernel mode which could then be used to run malware on the victim’s machine endangering their security.
Microsoft failed to release a patch for the vulnerability in 6 months and a threat actor started exploiting it. There were a series of attacks launched by hackers termed “Operation PowerFall”. Microsoft finally addressed the issue by releasing a patch that did not work as expected.
Google’s security research team has released a proof-of-concept that showcases the entire mechanism of the attack. The CVE-2020-0986 triggers memcpy vulnerability twice: first to leak the heap address where the message is stored and what the offset is added to generate the pointers and then to do the write-what-where.
Microsoft is currently working again to solve the security issue and vulnerability. We recommend users to keep their systems safe and secure by installing best in class security options provided by NPAV. Use NPAV and join us on a mission to secure the cyber world.