Windows Zero-Day Bug Still Not Fixed Even After a Patch!
Table of Contents
- By Dawna M. Roberts
- Published: Dec 29, 2020
- Last Updated: Mar 18, 2022
Threatpost and The Hacker News have reported that Microsoft’s local privilege-escalation bug (LPE) could allow hackers to take complete control of your system and it is still alive despite a fix. The zero-day vulnerability affects Windows 8.1 and Windows 10 (CVE-2020-0986) and involves the print spooler API.
What Happened?
Simplified, the bug allows bad actors to execute code by escalating privileges of the current logged in user. Microsoft issued a statement about the bug in June 2020. Microsoft had until September 24 to patch the bug and did issue a security patch but it failed to fix the problem.
Kaspersky Labs noticed that this bug was used in May against a South Korean company in a larger attack known as Operation Powerfall executed by an advanced persistent threat (APT) called Darkhotel.
The Technical Details
According to The Hacker News “‘splwow64.exe’ is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. It implements a Local Procedure Call (LPC) server that can be used by other processes to access printing functions.”
They followed up by saying that the bug could allow a hacker to install malicious programs, change, view and delete data or create new accounts with increases privileges.
Google’s Project Zero research team is the entity responsible for discovering that the botched patch didn’t work and that the issue still remains active in the wild. Maddie Stone, Google Zero Day researcher commented that “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”
Stone additionally admonished Microsoft with “There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely. When [in the wild] zero-days aren’t fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new 0-days.”
How did Microsoft Respond?
Microsoft has issued a new CVE (CVE-2020-17008) regarding the issue. Google’s Project Zero has issued their own “public proof-of-concept code.”
The software giant failed to patch the bug with a 90-day window and after being alerted to this second warning, they have promised a new fix in January 2021.
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a bug or software flaw that the developer is aware of but has not released a security patch to fix and it could be used by cybercriminals to execute fraud.
Typically, zero-day vulnerabilities are the result of poor coding, the improper use of computer resources or bugs that create weak spots that hackers can exploit to take control and execute commands or functions for their own purposes.
The term zero-day refers to the fact that it is a “new” issue just discovered and the software developer was previously unaware of thus has not yet issued a patch. In layman’s terms, the developer now has “zero days” to fix the problem before a hacker exploits the issue.
Reporting zero-day issues is a double-edged sword. Once released, not only is the developer aware of it but now hackers know exactly how to exploit machines running the vulnerable code. If hackers do use the bug before it’s patched, that is known as a zero-day attack. It’s basically a race against time between the software developers (who have 90 days to patch it) and bad actors.