Google shared details about the bug found in a Windows Kernel Cryptography Driver (sng.sys) file. This vulnerability has also been exploited by hackers.
Technology companies are constantly trying to improve their existing products as well as developing new products. For this purpose, many security and development studies continue unabated.
The Project Zero team, focused on finding Google’s vulnerabilities, revealed a problem with a Windows Kernel last week. This was also reported to the Microsoft team. On the exploitation of the vulnerability by hackers, Google shared the information publicly.
This kernel problem, which is a zero-day vulnerability, is also used by hackers. The vulnerability, followed by the name CVE-2020-117087, does not seem to be fixed by Microsoft anytime soon.
According to the statement on the Project Zero page, the Windows Kernel Cryptography Driver (cng.sys) creates a Device / CNG vulnerability. This vulnerability can also be used by user mode programs and can provide control of various input and output data. This creates a locally accessible attack zone.
The Project Zero team actually reported this problem to Microsoft on October 22. Under normal circumstances, the team gives developers 90 days to fix a bug. The reason why this deficit was announced in a short time is that it has already been exploited by malicious people.
The deficit can be rectified on November 10
Ben Hawkes from the Project Zero team stated that while sharing the details of this vulnerability on Twitter, they also informed Google. He also said that they expect this vulnerability to be fixed with a patch to be released on November 10.
A statement on the subject also came from Microsoft. It was stated that the security problem specified in the company’s statement will be examined. It was stated that the researchers wanted to keep up with the deadlines given, but the update needed a time-quality balance. Microsoft has cited its ultimate goal as the highest level of customer protection and minimum user annoyance.