The bug hunters that comprise Google’s Project Zero team are getting a little fed up with companies that issue incomplete or otherwise incorrect patches for zero-day vulnerabilities they discover. Going into 2021, the team plans to reevaluate how it handles these kinds of situations, with a recent privilege escalation flaw in Windows serving as the tipping point.
At issue is a zero-day flaw in Windows (CVE-2020-0986) that was actually discovered by Kaspersky this past summer.
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains in a support document.
Microsoft points out that an attacker would first need to log into a system and then run a specially crafted application to exploit the vulnerability and take control of an affected system. Where things get extra interesting, however, is how Microsoft handled the fix, and Project Zero’s decision to ultimate disclose the flaw.
As explained by Project Zero team member Maddie Stone on Twitter, Microsoft released a patch for this flaw in June. However, Project Zero contends that the patch did not fully fix the flaw, and so it alerted Microsoft to its findings in September, and subsequently granted the software maker a new 90-day deadline.
“While I don’t think a bad/incomplete [patch] deserves a new 90-day deadline, when looking at our disclosure policy this case wasn’t explicitly addressed and thus we felt we should default to 90 [days]. We’re looking at addressing this in 2021 policy,” Stone states.
In other words, CVE-2020-0986 inadvertently exposed a loophole within Project Zero’s disclosure policies. The way the program works, a company is alerted to a zero-day bug, and given 90 days to issue a patch before it is publicly disclosed. In some cases, a company can be granted a short grace period, if a patch is imminent.
Microsoft’s case was a little different, in that its fix was not complete. This led to Microsoft assigning the new bug report to CVE-2020-17008 for the issue, with a follow-up fix initially planned for November. That ended up slipping into December, and then Microsoft advised Project Zero that the fix would actually go out in January 2021.
That falls around a week too late for Project Zero to issue a 14-day grace period, and so the flaw has been publicly disclosed. It also led to a bit of venting on the part of Stone.
“There have been too many occurrences this year of 0-days known to be actively exploited being fixed incorrectly or incompletely. When itw [in the wild] 0 days aren’t fixed completely, attackers can reuse their knowledge of vulns & exploit methods to easily develop new 0-days,” Stone wrote on Twitter.
Basically, Stone is putting companies on notice that things are going to change in 2021, specific to this apparent loophole. If a fix is deemed incomplete, it is unlikely that companies will be granted a new 90-day window.