Google Discloses Windows Zero-day Exploited In The Wild
Security researchers from Google have disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation.
The zero-day is expected to be patched on November 10, which is the date of Microsoft's next Patch Tuesday, according to Ben Hawkes, team lead for Project Zero, Google's elite vulnerability research team.
On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week.
The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome's secure container and run code on the underlying operating system — in what security experts call a sandbox escape.
The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug. Details were published today, as Microsoft did not release a patch in the allotted time.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
Windows 7 to Windows 10 are impacted
According to Google's report, the zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker's code with additional permissions.
Per the report, the vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10 release.
Proof of concept code to reproduce attacks was also include.
Hawkes did not provide details about who was using these two zero-days. Usually, most zero-days are discovered by nation-sponsored hacking groups or large cybercrime groups.
Per the same Google report, the attacks were also confirmed by a second Google security team, Google's Threat Analysis Group (TAG).
Shane Huntley, Google TAG Director, said the attacks are not related to the US election.
The Chrome zero-day was patched in Chrome version 86.0.4240.111.
This is the second time that Google discloses a two-pronged attack that involved a Windows and a Chrome zero-day. In March 2019, Google said that threat actors have also combined a Chrome zero-day (CVE-2019-5786) with a Windows zero-day (CVE-2019-0808).
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more