Security researchers from Google have now disclosed a zero-day vulnerability in the Windows operating system currently under active exploration. Ben Hawkes, team lead for Project Zero, took to Twitter to inform about it, adding that the zero-day is expected to be patched on 10 November, which is the date of Microsoft’s next Patch. Hawkes added that the zero-day CVE-2020-17087 was a part of a two-punch attack, along with a Chrome zero-day CVE-2020-15999 that his team had earlier disclosed.
“We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation, and this is not related to any US election-related targeting,” he added.
According to the tweet, the Google Chrome zero-day was used to allow attackers to run malicious code inside Chrome. In contrast, the Windows zero-day was the second part of the attack, which allowed the threat to escape Chrome’s secure container and run code on the operating system, in something which is called a sandbox escape.
According to an official report by tech giant Google, the zero-day bug can be used to raise an attacker’s code with additional permissions, and it impacts every Windows version between Windows 10 and Windows 7.
The report further added that a crash is easiest to reproduce with Special Pools enabled for cng.sys.
However, even in the default configuration, the corruption of 64 KB of kernel data will crash the system shortly after the exploit is activated.