Ben Hawkes, leader of Google‘s security team, released a report detailing the finding of a zero-day vulnerability in the Windows operating system that has already been actively exploited. The expected date for the bug fix is November 10 when Microsoft will release its new update.
Through his Twitter account, Hawkes mentioned that the zero-day flaw, tracked as CVE-2020-17087, was exploited as part of a two-phase attack, in conjunction with the CVE-2020-1599 flaw affecting the Chrome browser. This flaw was reported by Google last week.
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020
The zero-day vulnerability in Chrome was exploited so that threat actors would execute malicious code in the browser, while the Windows flaw was exploited in a second stage of attack so that hackers could bypass the sandbox in Chrome and execute code on the target system. Google Project Zero submitted the report to Microsoft, which initiated a seven-day deadline for the company to correct the flaw.
The fix is not yet ready, so Project Zero published the fault details. Moreover, the Chrome vulnerability was patched in browser version 86.0.4240.111.
Google’s report mentions that CVE-2020-17087 is a Windows kernel failure that could be exp ..
Support the originator by clicking the read the rest link below.
