Google discloses actively-exploited Windows zero-day vulnerability
The vulnerability gives an attacker admin-level control of the targeted Windows computer
Google’s Project Zero team first identified the bug and soon learned attackers were exploiting the vulnerability in the wild. Owing to the seriousness of the issue, Google reportedly gave Microsoft just a seven-day deadline to fix the flaw before announcing it.
When Microsoft failed to issue a security patch within the set timeframe, Google released the details of the zero-day vulnerability, which is now being tracked as CVE-2020-17087.
According to Google’s report, the vulnerability exists within the Windows Kernel Cryptography Driver cng.sys and uses the previously patched CVE-2020-15999 vulnerability that allows attackers to run malicious code inside Chrome browsers for successful exploitation.
Users who’ve installed the latest Chrome security patches seem to have greater protection against the new zero-day vulnerability, which currently affects Windows 7, 8 and 10 computers.
Microsoft says there’s no evidence of widespread exploitation and that the vulnerability cannot surpass the cryptographic application programming interface (CryptoAPI) included with Microsoft Windows operating systems. Shane Huntley, director of Google’s Threat Analysis Group (TAG) said the vulnerability is targeted and the attacks are not related to US elections.
Ben Hawkes, team lead for Project Zero, expects Microsoft to release a patch for the zero-day security issue during Microsoft's next Patch Tuesday on November 10.
Next-generation time series: Forecasting for the real world, not the ideal world
Solve time series problems with AIFree download
The future of productivity
Driving your business forward with Microsoft Office 365Free download
How to plan for endpoint security against ever-evolving cyber threats
Safeguard your devices, data, and reputationFree download
A quantitative comparison of UPS monitoring and servicing approaches across edge environments
Effective UPS fleet managementFree download