Google has disclosed a zero-day vulnerability in the Windows operating system with a high-severity rating.

According to the details provided by Project Zero, Google's elite vulnerability research team, the vulnerability is being exploited in the wild.

The team has disclosed the vulnerability in addition to a separate zero-day vulnerability in Chrome, which Google had disclosed and patched last week in Chrome version 86.0.4240.111.

“In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape,” tweeted Project Zero’s technical lead Ben Hawkes.

“Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting,” Hawkes added.

The vulnerability

The vulnerability works in tandem with the Chrome vulnerability which allowed hackers to run malicious code inside Chrome.

The Windows bug was used in the second part of the attack where hackers were able to run malicious code on the underlying Windows operating system escaping Chrome’s security. Such an attack is called a sandbox escape by experts.

The vulnerability has a high severity rating and impacts all Windows versions between Windows 7 and the recently released Windows 10 version. As mentioned by Hawkes, the security patch is expected to be released on November 10.

According to a statement provided to TechCrunch by Microsoft, so far, the vulnerability has been used in a targeted attack. No evidence of widespread usage of the bug has been discovered yet.

Related Topics