CVE-2020-0986: 
vulnerability analysis and mitigation

CVE-2020-0986 is an elevation of privilege vulnerability in the Windows kernel that was discovered in 2020. The vulnerability exists when the Windows kernel fails to properly handle objects in memory, specifically in the user-mode printer driver host process splwow64.exe. This vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 8.1, Windows RT 8.1, and Windows Server versions (MITRE CVE, NVD).

The vulnerability is an arbitrary pointer dereference flaw in the GDI Print/Print Spooler API, specifically within the splwow64.exe process. The issue stems from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. The vulnerability has a CVSS v3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with local access required (ZDI Advisory, Securelist).

When successfully exploited, this vulnerability allows an attacker to escalate privileges from low integrity and execute code in the context of the current user at medium integrity. This enables attackers to escape the Internet Explorer 11 sandbox since splwow64.exe runs with medium integrity level (Securelist).

Microsoft has released security patches to address this vulnerability. The fix involved implementing additional mitigations to make exploitation of OutputBuf vulnerabilities more difficult. The patch modified the format of printer commands and implemented new security checks in the handle table storage system (Securelist).