Windows 10, like any software in the world, has problems, security flaws and other types of errors that are discovered over time. So far nothing unusual, just update Windows 10 to the latest version that usually contains all the patches that solve these performance or security problems. What is not acceptable is that we are privately notified of a security problem, that we take forever to solve it and that we do it wrong. Well, this botch is what Google accuses Microsoft of at the cost of a problem with the Windows 10 print queue.
Google Project Zero is a division of security experts of the Internet giant that was launched in July 2014 and that is dedicated to locating zero-day attacks in different software. Broadly speaking, these bugs are privately reported to the manufacturer and made public once the patch has been released. However, if 90 days go by without a patch being released, they are also released to “pressure” the manufacturer to release a patch.
Microsoft didn’t fix a problem in 6 months
All of this brings us to September 24 of this year when Google Project Zero published all the details about an elevation of privilege vulnerability that exploited a bug in the splwow64.exe spooler API. Microsoft was aware of the error since December 2019, but they spent 6 months without doing anything. Finally, the existence of the security flaw was published.
If the vulnerability is successfully exploited, an attacker can manipulate the splwow64.exe process to execute arbitrary code on the system, potentially installing malicious programs capable of viewing, changing, deleting data or creating new user accounts. Of course, it is necessary for the attacker to be logged into the system for its success.
Finally, Microsoft released a patch to fix the problem, but nothing could be further from the truth. From Google, they explain to us that “the vulnerability still exists, only the method to exploit it has changed. In fact, they confirm that they were limited to changing “pointers to offsets.” This still allows the bug to be exploited.
Now, that vulnerability has been cataloged with the code CVE-2020-17008 and we are expected to have a patch on January 12, 2021. The problem is that Google Project Zero has even shown a proof of concept of how to exploit it, so hopefully, it is not too late; and, above all, that it is not a new botch.