The head of Google’s Project Zero has disclosed a zero-day bug in Windows OS, which is being actively exploited. The vulnerability affects Windows 7 to Windows 10 OS and forms a two-part attack combined with a Chrome bug . While Chrome’s issue has been resolved with an update, Microsoft is yet to respond to its Windows bug.
Windows Bug Allows For RCE Attack
Google Revealed a Zero-Day Bug Affecting Windows OS
While vulnerabilities in softwares are common these days, a reliable OEM is determined by the time he has taken to patch that vulnerability. Security researchers and bug hunters disclose anything they discovered to the concerned OEM for credits, but if they failed to respond within the stipulated time, they proceed to publish anyway.
One such publication is by Google, whose Project Zero team has published a report of Window vulnerability. The lead of the team, Ben Hawkes , has tweeted about a zero-day bug in Windows, tracked as CVE-2020-17087 . This could be the part of a two-stage attack, where an attacker can chain it to a bug in Google’s Chrome ( CVE-2020-15999 ).
In addition to last week’s Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk — Ben Hawkes (@benhawkes) October 30, 2020
