Google’s Project Zero team has released details of a critical vulnerability in Windows. The security researchers said that hackers are actively exploiting the vulnerability. Microsoft will reportedly issue a patch to fix the vulnerability by November 10.

IDed as CVE-2020-117087, the vulnerability allows hackers to escalate system privileges. Hackers also leveraged another a Chrome zero-day, tracked as CVE-2020-15999, to conduct the attacks.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” said Google in a post.

Google’s Project Zero team confirmed that the vulnerability CVE-2020-17087 affects Windows 7 and Windows 10 users.

Google’s Project Zero team periodically discloses vulnerabilities. The team also informs the affected company to fix the security flaw.

In this case, Google gave Microsoft a seven-day deadline to fix the security flaw as it was being used in the wild.

Traditionally, the security team gives at least a 90-day deadline to fix the flaw. It publishes the vulnerability once the patch is available or the deadline has expired, whichever happens first.

According to Project Zero’s technical lead Ben Hawkes, Microsoft has planned to fix the security flaw by November 10. He also clarified that this was targeted exploitation and not related to any US election-related targeting.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.

“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company said in a statement.

Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.

Source: https://tech.hindustantimes.com/tech/news/google-discloses-zero-day-flaw-in-windows-that-s-being-used-in-the-wild-71604202342337.html

Microsoft Windows, Zero-day, Microsoft Corporation, Google, Computer security, Vulnerability, Project Zero, Exploit

World news – GB – Google discloses zero-day flaw in Windows that’s being used in the wild

Building on its expertise in the areas of digital, technologies and processes , CSS Engineering you in your most ambitious transformation projects and helps you bring out new ideas, new offers, new modes of collaboration, new ways of producing and selling.

CSS Engineering is involved in projects each customer as if it were his own. We believe a consulting company should be more than an advisor. We put ourselves in the place of our customers, to align we incentives to their goals, and collaborate to unlock the full potential their business. This establishes deep relationships and enjoyable.

Our services:

  1. Create professional websites
  2. Hosting high performance and unlimited
  3. Sale and video surveillance cameras installation
  4. Sale and Installation of security system and alarm
  5. E-Marketing

All our achievements here https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here