Google’s Project Zero discloses Windows 0day that’s been under active exploit (opens in new tab)

(arstechnica.com)

51 pointsCantbekhan5y ago8 comments

8 comments

The link goes to the comments section. This one doesn't: https://arstechnica.com/information-technology/2020/10/googl...

kerng5y ago

Seems like they conveniently waited to fix Chrome bug before going ballistic at Microsoft.

aw16211075y ago

Project Zero's disclosure policy as described in the article appears to leave little room, if any, for the bias you appear to be implying:

> In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

In addition, the two bugs appear to be unrelated other than being used as part of the same attack chain. The Chrome/FreeType vulnerabilities were reported on 2020-10-19 [0, 1], while the Windows vulnerability was reported on 2020-10-22 [2]. The Chrome team released a fix for their bug the day after the it was reported [3], while Microsoft is either still working on fixing the bug or is waiting for Patch Tuesday.

[0]: https://bugs.chromium.org/p/chromium/issues/detail?id=113996...

[1]: https://savannah.nongnu.org/bugs/?59308

[2]: https://bugs.chromium.org/p/project-zero/issues/detail?id=21...

[3]: https://twitter.com/benhawkes/status/1318640422571266048

1 more reply

akadruid15y ago

The combination of Chrome sandbox escape and Windows escalation make an extremely potent and high value combination. I hope we get more information on the "targeted" attacks

eznzt5y ago

The article mentions how a bug in a library Chrome uses allowed a sandbox escape. I am left wondering if forks of Chrome (such as Edge, which I'm using to type this from) are already updated. This is what really worries me about using Edge. Not to mention unstaffed forks such as Ungoogled Chromium.

rkagerer5y ago

Did they include a proof of concept in the disclosure even though the Google patch has only been out for a week and the Microsoft patch is not yet available?

Showing more adversaries how to make exploits right now doesn't seem like a great idea?

zenexer5y ago

My understanding is that it’s not a full PoC. It’s enough to crash Windows, but not enough to do more than that. An attacker would likely need to do additional work to make it relevant to them unless they’re just a prankster. Given that the disclosure says exactly where an attacker would need to start looking, it doesn’t make much difference whether a PoC is released in this case.

This isn’t always true: sometimes knowing where to look is the easy part, and crafting a working exploit is the hard part. I don’t get the impression that’s the case here.

codys5y ago

On the same subject matter: https://news.ycombinator.com/item?id=24947247

j / k navigate · click thread line to collapse