Reuters KP / ems
Experts on Google’s Project Zero team have warned again of a software vulnerability that was discovered several months ago, which could pose a threat to Windows computers.
According to the available information, information security experts had discovered several software vulnerabilities in Windows systems last May, 3 of which were named CVE-2020-0916, CVE-2020-0986 and CVE-2020-0915, which were classified as very dangerous. Inform Microsoft of its presence.
Last June, Microsoft launched an update to Windows systems, which confirmed that it had software modifications to correct the vulnerabilities and avoid the danger to users’ devices.
Today, almost half a year after Microsoft launched the aforementioned update, Project Zero technical expert Maddy Stone returned to indicate that the update did not correct the CVE-2020-0986 vulnerability as required, and that this vulnerability could be exploited in the future to penetrate computer systems.
The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The “fix” simply changed the pointers to offsets, which still allows control of the args to the memcpy.
Maddie Stone (@maddiestone) December 23, 2020
Several technology sites indicated that Project Zero experts informed Microsoft about the aforementioned loophole on December 24, and the latter is expected to launch a new update for Windows systems next January, bringing with it a solution to that problem.