With the number of hacks increasing, the security researchers have their work cut out for them.
When Project Zero finds a security flaw they typically give Microsoft a seven-day deadline to patch the vulnerability. Project Zero typically does a public disclosure after 90 days or when a “fix” is developed, whichever happens first.
The active exploits are disclosed
The bug disclosure last month came prior to a patch being available.
Project Zero announced that “ We have evidence that the following bug is being used in the wild. In other words, hackers were currently using the bugs to hack some current Windows users. Therefore, this bug is subject to a 7-day disclosure deadline.”
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” the Project Zero post said. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”
