Google security researchers revealed today a vulnerability zero-day in the operating system Windows already in use on the internet.
The zero-day is expected to be patched on November 10, which is the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, team lead Project Zero, Google's elite research team.
On Twitter, Hawkes said that the Windows zero-day (listed as CVE-2020-17087) has already been used as part of an attack two points, along with another Chrome zero-day (listed as CVE-2020-15999) that its team disclosed last week.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
- Ben Hawkes (@benhawkes) October 30, 2020
Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while Windows zero-day was the second part of this attack, which allowed attackers to escape from Chrome's secure container and run code on the victim's operating system.
The Google Project Zero team informed Microsoft last week and gave the company seven days to correct the error. Vulnerability details were released today, as Microsoft did not release any update at the scheduled time.
According to Google, zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker.
The vulnerability is reported to affect all versions of Windows from Windows 7 to the latest version of Windows 10.
Hawkes did not provide details on who exploited these two vulnerabilities, but usually most zero-days are discovered by state-funded hacking groups or large cybercriminals.
According to Google, the attacks were confirmed by a second security team of the company, the Threat Analysis Group of Google (Threat Analysis Group or simply TAG).
Shane Huntley, director of Google TAG, said the attacks did not appear to be related to the US election.
Chrome zero-day has been fixed with version 86.0.4240.111 of the Google browser.
