Google’s Project Zero team has released details of a critical vulnerability in Windows. The security researchers said that hackers are actively exploiting the vulnerability. Microsoft will reportedly issue a patch to fix the vulnerability by November 10.

IDed as CVE-2020-117087, the vulnerability allows hackers to escalate system privileges. Hackers also leveraged another a Chrome zero-day, tracked as CVE-2020-15999, to conduct the attacks.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” said Google in a post.

Google’s Project Zero team confirmed that the vulnerability CVE-2020-17087 affects Windows 7 and Windows 10 users.

Google’s Project Zero team periodically discloses vulnerabilities. The team also informs the affected company to fix the security flaw.

In this case, Google gave Microsoft a seven-day deadline to fix the security flaw as it was being used in the wild.

Traditionally, the security team gives at least a 90-day deadline to fix the flaw. It publishes the vulnerability once the patch is available or the deadline has expired, whichever happens first.

According to Project Zero’s technical lead Ben Hawkes, Microsoft has planned to fix the security flaw by November 10. He also clarified that this was targeted exploitation and not related to any US election-related targeting.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.

“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company said in a statement.

Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.

Source: https://tech.hindustantimes.com/tech/news/google-discloses-zero-day-flaw-in-windows-that-s-being-used-in-the-wild-71604202342337.html

Microsoft Windows, Zero-day, Microsoft Corporation, Google, Computer security, Vulnerability, Project Zero, Exploit

World news – GB – Google discloses zero-day flaw in Windows that’s being used in the wild

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here