CVE-2020-1199: Windows Feedback Hub Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Jun

Released

2020-06-09

EPSS Score

0.27% (percentile: 50.8%)

Description

An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system with Windows Mixed Reality installed. An attacker could then run a specially crafted application to take control of an affected system. The security update addresses the vulnerability by correcting how the Feedback Hub handles objects in memory.

Affected Products (8)

Windows

• Windows 10 Version 1809 for HoloLens
• Windows 10 Version 2004 for x64-based Systems
• Windows 10 Version 1709 for x64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1803 for x64-based Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 2004 for HoloLens
• Windows 10 Version 1903 for HoloLens

Security Updates (5)

• 4561608
• 4557957
• 4561602
• 4560960
• 4561621

Acknowledgments

Zhiniang Peng <a href="https://twitter.com/edwardzpeng"> (@edwardzpeng) </a> of Qihoo 360 & Xuefeng Li working with <a href="https://bugcloud.360.cn">360 BugCloud</a>

Revision History

• 2020-06-09: Information published.