The security hole isnt expected to be plugged until the forthcoming Patch Tuesday bundle of security fixes<\/p>\n
Googles Project Zero researchers have disclosed details about a zero-day vulnerability in Windows that they say is being exploited by attackers.<\/p>\n
The memory-corruption flaw resides in the Windows Kernel Cryptography Driver (cng.sys) and, according to Google, constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).<\/p>\n
The researchers also released proof-of-concept (PoC) code that theyd tested out on a recent version of Windows 10 (version 1903, 64-bit) and believe that the security bug could have been around since Windows 7, potentially meaning that all versions from Windows 7 through 10 could be affected.<\/p>\n
Per media reports, the flaw is being exploited in conjunction with another zero-day, which is indexed as CVE-2020-15999 and affects FreeType, a widely used software development library that is also part of the Google Chrome web browser.<\/p>\n
Google reported the discovery of the newly-found bug, which is tracked asCVE-2020-17087, to Microsoft, but since it found evidence of the loophole being exploited in the wild, it opted for a seven-day disclosure deadline.<\/p>\n
Currently, the security loophole doesnt have a patch, but Project Zeros technical lead Ben Hawkes tweetedthat they do expect one to be released on November 10th, which coincides with the upcoming Patch Tuesday.<\/p>\n
Microsoft, meanwhile, provided this statement toTechCrunch:<\/p>\n
Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.<\/p>\n
A company spokesperson also went to add that the attack seems to be quite limited and that there is no proof pointing to it being a widespread issue. The attacks are thought to be unrelated to the upcoming US presidential election.<\/p>\n
Since the beginning of this year, Microsoft has disclosed and patched several severe bugs in Windows, including a pair of zero-days back in March and another zero-day, which was found by the United States National Security Agency (NSA).<\/p>\n
<\/p>\n