Google security researchers revealed today a zero-day vulnerability in the Windows operating system already used on the internet.
The zero-day is expected to be fixed on November 10, the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, head of Project Zero, Google's elite research team.
On Twitter, Hawkes said that Windows zero-day (listed as CVE-2020-17087) has already been used as part of a two-point attack, along with another Chrome zero-day (listed as CVE-2020 -15999) that his team revealed last week.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
- Ben Hawkes (@benhawkes) October 30, 2020
Το Chrome zero-day χρησιμοποιήθηκε για να επιτρέψει στους εισβολείς να τρέχουν κακόβουλο κώδικα μέσα στο Chrome, ενώ το Windows zero-day ήταν το δεύτερο μέρος αυτής της επίθεσης, που επέτρεπε στους επιτιθέμενους να ξεφύγουν από το safe Chrome container and run code on the victim's operating system.
The Google Project Zero team informed Microsoft last week and gave the company seven days to correct the error. Vulnerability details were released today, as Microsoft did not release any update at the scheduled time.
According to Google, zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker.
The vulnerability is reported to affect all versions of Windows from Windows 7 to the latest version of Windows 10.
Hawkes did not provide details on who exploited these two vulnerabilities, but usually most zero-days are discovered by state-funded hacking groups or large cybercriminals.
According to Google, the attacks were also confirmed by a second security group of the company, the Threat Analysis Group of Google (Threat Analysis Group or simply TAG).
Shane Huntley, its director Google TAG, said the attacks did not appear to be related to the US election.
Chrome zero-day has been fixed with version 86.0.4240.111 of the Google browser.