Critical Vulnerability in Windows OS – Check Point customers remain protected

By, Dana Katz, Head of Product Marketing, Threat Prevention

Only five days after Google disclosed information about a critical vulnerability in the Microsoft Windows operating system (CVE-2020-17087), Check Point has officially released protection to keep its customers completely safe. Early protections against vulnerabilities that are under active attack are crucial. Microsoft is expected to release an update today, November 10, 2020, but Google research indicates that attackers are exploiting this vulnerability so organizations are already at risk.

About the Vulnerability

On Friday evening (30.10.2020), Google disclosed the details of CVE-2020-17087, a zero-day vulnerability in the Microsoft Windows operating system. Attackers are using this vulnerability in conjunction with a separate bug in Chrome, which Google disclosed and fixed on Oct 20th, 2020 (CVE-2020-15999) to escape Chrome’s sandbox and run malware on the operating system.

What’s the Risk?

Attackers exploiting the new Microsoft windows vulnerability would be able to control the affected system and gain higher privileges on the victim’s machine. Meaning, attackers could gain unauthorized access to sensitive corporate assets (that the victim usually does not have access to) and conduct malicious activity such as creating or deleting files, manipulating or leaking sensitive data and disabling services.

It’s important to note that according to researchers at Google -threat actors have already been exploiting this vulnerability in the wild. That means organizations across different industries are currently exposed to these types of attacks.

Check out the following video showing the attack flow and how Check Point protects against it by leveraging SandBlast Network, IPS and SandBlast Agent.


Who Is Affected?

Google researchers have confirmed that the vulnerability exists in Microsoft Windows 10 64 bits. They also noted the affected driver could be vulnerable since at least Windows 7. The Check Point Research team has confirmed the existence of the vulnerability in 64 bits of the Windows operating system.

Check Point customers remain protected

Check Point’s development and research teams took immediate action. They’ve successfully analyzed the vulnerability’s root cause, developed the appropriate protection, and updated Check Point’s entire network security product suite. The new protection is now available as a part of:

The Anatomy of the Attack

While analyzing the vulnerability root cause, our researchers have developed a malicious file that could have been used by attackers to trigger the Window’s vulnerability mentioned above. The threat emulation report below provides an in-depth analysis of this malicious file, based on all the malicious attempts recorded when running it in the Check Point’s advanced sandboxing technology. The threat emulation report provides insights into the attack vector, correlation with the MITRE ATT&CK framework, threat emulation videos, and more. To better understand how attackers may take advantage of this vulnerability to attack your organizations, we invite you to check out this threat emulation report,

Figure 1: A Snippet from Check Point’s Threat Emulation report of a malware exploitingCVE-2020-17087

This report is a part of Check Point’s Threat Emulation, an innovative zero-day sandboxing technology, leveraged by Check Point’s SandBlast Network solution. It delivers the best possible catch rate for threats and is virtually immune to all evasive attack techniques. The Threat Emulation report is also enriched with threat intelligence directly fed from Check Point ThreatCloud, the world’s largest threat intelligence resource for all IT surfaces – cloud, network, endpoints, and mobile devices.