Zero-day vulnerability in Windows 10

Ben Hawkes, leader of Google‘s security team, released a report detailing the finding of a zero-day vulnerability in the Windows operating system that has already been actively exploited. The expected date for the bug fix is November 10 when Microsoft will release its new update.

Through his Twitter account, Hawkes mentioned that the zero-day flaw, tracked as CVE-2020-17087, was exploited as part of a two-phase attack, in conjunction with the CVE-2020-1599 flaw affecting the Chrome browser. This flaw was reported by Google last week.

The zero-day vulnerability in Chrome was exploited so that threat actors would execute malicious code in the browser, while the Windows flaw was exploited in a second stage of attack so that hackers could bypass the sandbox in Chrome and execute code on the target system. Google Project Zero submitted the report to Microsoft, which initiated a seven-day deadline for the company to correct the flaw.

The fix is not yet ready, so Project Zero published the fault details. Moreover, the Chrome vulnerability was patched in browser version 86.0.4240.111.

Google’s report mentions that CVE-2020-17087 is a Windows kernel failure that could be exploited to elevate the code of threat actors with additional permissions. The vulnerability resides in all versions between Windows 7 and the latest update to Windows 10.

Hawkes provided no details about the threat actors responsible for the exploitation, although in these cases the cybersecurity community often attributes the exploitation of these hacking groups sponsored by state actors. Threat Analysis Group, Google’s other research team, also confirmed the detection of failures and their active exploitation, although they ruled out the intervention of a nation state.

This is the second time Google has revealed a two-front attack involving zero-day vulnerabilities in Chrome. In March 2019, the company revealed that a hacker group actively exploited two flaws in the browser and Windows system, although it was not possible to determine for sure the impact of this attack.