Google discloses zero-day vulnerability in Windows OS, security patch weeks away

Security researchers from Google have now disclosed a zero-day vulnerability in the Windows operating system that is currently under active exploration. Ben Hawkes, team lead for Project Zero took to Twitter to inform about it, adding that the zero-day is expected to be patched on 10 November, which is the date of Microsoft’s next Patch. Hawkes added that the zero-day CVE-2020-17087 was a part of a two punch attack, along with a Chrome zero-day CVE-2020-15999 that his team had earlier disclosed. “We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting,” he added.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.

— Ben Hawkes (@benhawkes) October 30, 2020

According to the tweet, the Google Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of the attack, which allowed the threat to escape Chrome’s secure container and run code on the operating system, in something which is called a sandbox escape. According to an official report by tech giant Google, the zero-day bug can be used to raise an attacker’s code with additional permissions and it impacts every Windows versions between Windows 10 and Windows 7. The report further added that a crash is easiest to reproduce with Special Pools enabled for cng.sys. However, even in the default configuration, the corruption of 64 KB of kernel data will crash the system shortly after the exploit is activated as well.