1 min read

Microsoft Issued a Fix for Zero-Day Six Months Ago but It Didn't Work

Silviu STAHIE

December 30, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Issued a Fix for Zero-Day Six Months Ago but It Didn't Work

Microsoft fixed a zero-day vulnerability in June 2020, but the company did a poor job. Security researchers from Google’s Project Zero showed that attackers could still use the zero-day, despite the patch.

Since zero-day exploits are a serious matter, most of the time, companies quickly release a patch. The June 2020 patch for Windows 8.1 and 10 covered the zero-day CVE-2020-0986 vulnerability, or at least that was the plan.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory,” reads the vulnerability. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

As results go, a quick fix for such a significant problem is the best possible outcome, but security researchers discovered that the fix wasn’t working. Not only that, but the vulnerability is still unpatched to this day, and the attackers already used the zero-day in at least one incident.

“The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,” said Google’s Project Zero Maddie Stone. “The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

“There have been too many occurrences this year of 0days known to be actively exploited being fixed incorrectly or incompletely. When itw 0days aren’t fixed completely, attackers can reuse their knowledge of vulns& exploit methods to easily develop new 0-days,” she explained.

A new fix is in the works, and it should be available with the January patch. Until that’s out, many Windows machines will be vulnerable.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read