Google’s Project Zero team has released details of a critical vulnerability in Windows. The security researchers said that hackers are actively exploiting the vulnerability. Microsoft will reportedly issue a patch to fix the vulnerability by November 10.
IDed as CVE-2020-117087, the vulnerability allows hackers to escalate system privileges. Hackers also leveraged another a Chrome zero-day, tracked as CVE-2020-15999, to conduct the attacks.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” said Google in a post.
Google’s Project Zero team confirmed that the vulnerability CVE-2020-17087 affects Windows 7 and Windows 10 users.
Google’s Project Zero team periodically discloses vulnerabilities. The team also informs the affected company to fix the security flaw.
In this case, Google gave Microsoft a seven-day deadline to fix the security flaw as it was being used in the wild.
Traditionally, the security team gives at least a 90-day deadline to fix the flaw. It publishes the vulnerability once the patch is available or the deadline has expired, whichever happens first.
According to Project Zero’s technical lead Ben Hawkes, Microsoft has planned to fix the security flaw by November 10. He also clarified that this was targeted exploitation and not related to any US election-related targeting.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company said in a statement.
Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.
Microsoft Windows, Zero-day, Microsoft Corporation, Google, Computer security, Vulnerability, Project Zero, Exploit
World news – GB – Google discloses zero-day flaw in Windows that’s being used in the wild