1 min read

Microsoft Issued a Fix for Zero-Day Six Months Ago but It Didn't Work

Silviu STAHIE

December 30, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Issued a Fix for Zero-Day Six Months Ago but It Didn't Work

Microsoft fixed a zero-day vulnerability in June 2020, but the company did a poor job. Security researchers from Google’s Project Zero showed that attackers could still use the zero-day, despite the patch.

Since zero-day exploits are a serious matter, most of the time, companies quickly release a patch. The June 2020 patch for Windows 8.1 and 10 covered the zero-day CVE-2020-0986 vulnerability, or at least that was the plan.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory,” reads the vulnerability. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

As results go, a quick fix for such a significant problem is the best possible outcome, but security researchers discovered that the fix wasn’t working. Not only that, but the vulnerability is still unpatched to this day, and the attackers already used the zero-day in at least one incident.

“The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,” said Google’s Project Zero Maddie Stone. “The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

“There have been too many occurrences this year of 0days known to be actively exploited being fixed incorrectly or incompletely. When itw 0days aren’t fixed completely, attackers can reuse their knowledge of vulns& exploit methods to easily develop new 0-days,” she explained.

A new fix is in the works, and it should be available with the January patch. Until that’s out, many Windows machines will be vulnerable.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read