Google has revealed details of a previously undisclosed vulnerability in Windows, which it says hackers are actively exploiting. Therefore, Google only gave Microsoft a week to fix the vulnerability. That deadline comes and goes, and Google released the vulnerability details this afternoon.
The vulnerability has no name but is labeled CVE-2020-17087 and affects at least Windows 7 and Windows 10.
Google’s Project Zero, an elite team of security bug hunters that discovered the bug, said the bug allowed an attacker to increase user access in Windows. The attackers are using the Windows vulnerability combined with a separate bug in Chrome that Google revealed and fixed last week. This new bug allows an attacker to get rid of Chrome̵7;s sandbox, which is often isolated from other applications and running malware on the operating system.
In a tweet, Project Zero technical lead Ben Hawkes said Microsoft plans to release the patch on November 10.
Microsoft did not independently confirm this date when asked, but said in a statement: “Microsoft is committed to customers to investigate reported security issues and update affected devices for security. customer protection. While we work to meet all of the researchers’ disclosure deadlines, including the short-term as in this case, developing security updates is a tradeoff between Timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption. “
But it is not clear who the attackers were or their motives. Google’s director of threat intelligence, Shane Huntley, said the attacks were “targeted” and not related to the US election.
A Microsoft spokesperson also added that the reported attack was “very limited and targeted in the wild, and we don’t see any evidence of widespread use.”
This is the latest in the list of major errors affecting Windows this year. Microsoft said in January that the National Security Agency helped find a cryptographic bug in Windows 10, although there was no evidence of the exploit. But in June and September, the Department of Homeland Security issued a warning about two “critical” Windows errors – one that could potentially spread across the internet and the other that could have had full access to the entire Windows network.
Updated with comment from Microsoft.