Google has disclosed a zero-day vulnerability in the Windows operating system with a high-severity rating.
According to the details provided by Project Zero, Google's elite vulnerability research team, the vulnerability is being exploited in the wild.
The team has disclosed the vulnerability in addition to a separate zero-day vulnerability in Chrome, which Google had disclosed and patched last week in Chrome version 86.0.4240.111.
“In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape,” tweeted Project Zero’s technical lead Ben Hawkes.
“Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting,” Hawkes added.
The vulnerability
The vulnerability works in tandem with the Chrome vulnerability which allowed hackers to run malicious code inside Chrome.
The Windows bug was used in the second part of the attack where hackers were able to run malicious code on the underlying Windows operating system escaping Chrome’s security. Such an attack is called a sandbox escape by experts.
The vulnerability has a high severity rating and impacts all Windows versions between Windows 7 and the recently released Windows 10 version. As mentioned by Hawkes, the security patch is expected to be released on November 10.
According to a statement provided to TechCrunch by Microsoft, so far, the vulnerability has been used in a targeted attack. No evidence of widespread usage of the bug has been discovered yet.
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.