Google deleted details of a previously unknown vulnerability in Windows that hackers say is being actively exploited. As a result, Google only gave Microsoft a week to resolve the vulnerability. That deadline came and went, and Google released details of the vulnerability this afternoon.
The vulnerability has no name, but is named CVE-2020-17087 and affects at least Windows 7 and Windows 10.
According to Google's Project Zero, the elite group of vulnerability hunters who made the discovery, the flaw enables an attacker to increase user access in Windows. Attackers used the Windows vulnerability in conjunction with a separate bug in Chrome that Google announced and fixed last week. This new flaw allows an attacker to escape the Chrome sandbox, which is normally isolated from other apps, and run malware on the operating system.
In a tweet, Ben Hawkes, Project Zero's technical director, said Microsoft plans to release a patch on November 10th.
Microsoft did not independently confirm that date when asked, but said in a statement, “Microsoft is committed to investigating reported security issues and updating affected devices to help protect customers. While we are working to meet all researchers' disclosure deadlines, including short-term deadlines like this scenario, developing a security update is a balance between timeliness and quality. Our primary goal is to ensure maximum customer protection with minimal customer disruption. ”
In addition to Chrome / Freetype 0day (CVE-2020-15999) last week, Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
– Ben Hawkes (@benhawkes) October 30, 2020
However, it is unclear who the attackers are or what their motives are. Shane Huntley, Google's director of threat intelligence, said the attacks were "targeted" and had nothing to do with the US election.
A Microsoft spokesperson added that the reported attack "is very limited and targeted, and we have seen no evidence of widespread use".
It is the latest in a list of the top bugs to affect Windows this year. Microsoft said in January that the National Security Agency was helping locate a cryptographic flaw in Windows 10, even though there was no evidence of exploitation. However, in June and September, Homeland Security issued warnings about two "critical" Windows errors – one that could have spread over the Internet and the other that may have gained full access to an entire Windows network.
Updated with comment from Microsoft.