Its security researchers Google revealed today a zero-day vulnerability in the Windows operating system that usesalready online.
Το zero-day αναμένεται να επιδιορθωθεί στις 10 Νοεμβρίου, που είναι η ημερομηνία του επόμενου Patch Tuesday της Microsoft, σύμφωνα με τον Ben Hawkes, επικεφαλής της ομάδας Project Zero, Google's elite research team.
On Twitter, Hawkes said that Windows zero-day (listed as CVE-2020-17087) has already been used as part of a two-point attack, along with another Chrome zero-day (listed as CVE-2020 -15999) that his team revealed last week.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
- Ben Hawkes (@benhawkes) October 30, 2020
Chrome zero-day was used to allow intruders to run malicious code inside Chrome, while Windows zero-day was the second part of this attack, allowing attackers to escape from the secure Chrome container and run code in victim operating system.
The Google team Project Zero ενημέρωσε τη Microsoft την περασμένη εβδομάδα και έδωσε στην εταιρεία επτά ημέρες για να επιδιορθώσει το σφάλμα. Οι λεπτομέρειες για την ευπάθεια δημοσιεύθηκαν σήμερα, καθώς η Microsoft δεν κυκλοφόρησε κάποια ενημέρωση στον προκαθορισμένο χρόνο.
According to Google, zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker.
The vulnerability is reported to affect all versions of Windows from Windows 7 to the latest version of Windows 10.
Hawkes did not provide details on who exploited these two vulnerabilities, but usually most zero-days are discovered by state-funded hacking groups or large cybercriminals.
According to Google, the attacks were confirmed by a second security team of the company, the Threat Analysis Group of Google (Threat Analysis Group or simply TAG).
Shane Huntley, director of Google TAG, said the attacks did not appear to be related to the US election.
Chrome zero-day has been fixed with version 86.0.4240.111 of the Google browser.