Google security researchers revealed today a zero-day vulnerability in the Windows operating system already used on the internet.
The zero-day is expected to be fixed on November 10, the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, head of Project Zero, Google's elite research team.
On Twitter, Hawkes said that Windows zero-day (listed as CVE-2020-17087) has already been used as part of a two-point attack, along with another Chrome zero-day (listed as CVE-2020 -15999) that his team revealed last week.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
- Ben Hawkes (@benhawkes) October 30, 2020
Chrome zero-day was used to allow intruders to run malicious code inside Chrome, while Windows zero-day was the second part of this attack, allowing attackers to escape from the secure Chrome container and run code in victim operating system.
The Google Project Zero team informed Microsoft last week and gave the company seven days to correct the error. Vulnerability details were released today, as Microsoft did not release any update at the scheduled time.
According to Google, zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker.
The vulnerability is reported to affect all versions of Windows from Windows 7 to the latest version of Windows 10.
Hawkes did not provide details on who exploited these two vulnerabilities, but usually most zero-days are discovered by state-funded hacking groups or large cybercriminals.
According to Google, the attacks were confirmed by a second security team of the company, the Threat Analysis Group of Google (Threat Analysis Group or simply TAG).
Shane Huntley, director of Google TAG, said the attacks did not appear to be related to the US election.
Chrome zero-day has been fixed with version 86.0.4240.111 of the Google browser.