The head of Google’s Project Zero has disclosed a zero-day bug in Windows OS, which is being actively exploited. The vulnerability affects Windows 7 to Windows 10 OS and forms a two-part attack combined with a Chrome bug. While Chrome’s issue has been resolved with an update, Microsoft is yet to respond to its Windows bug.
Windows Bug Allows For RCE Attack
While vulnerabilities in softwares are common these days, a reliable OEM is determined by the time he has taken to patch that vulnerability. Security researchers and bug hunters disclose anything they discovered to the concerned OEM for credits, but if they failed to respond within the stipulated time, they proceed to publish anyway.
One such publication is by Google, whose Project Zero team has published a report of Window vulnerability. The lead of the team, Ben Hawkes, has tweeted about a zero-day bug in Windows, tracked as CVE-2020-17087. This could be the part of a two-stage attack, where an attacker can chain it to a bug in Google’s Chrome (CVE-2020-15999).
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020
The Chrome bug discovered last week will let an attacker execute a malicious code and has been addressed with a Chrome update (v86.0.4240.111) last week. He now surfaced a bug in the Windows kernel, affecting all versions from Windows 7 to Windows 10 systems. This lets an attacker execute the malicious code in Windows OS by escaping Chrome’s container.
Termed as Sandbox Escape, an attacker can exploit both the bugs to run a malicious code in outdated Chrome and eventually pass into the underlying system OS. While Ben has informed Microsoft last week and given them a week to respond with a patch, Microsoft hasn’t shown up yet. Thus, he now documented the issue with a proof of concept code.
This revelation was even upvoted by Shane Huntley, the director of Google’s Threat Analysis Group (TAG). While Ben hasn’t mentioned who exploits the bugs, they could mostly be the nation-state backed hackers. Microsoft may come up with a patch for this on November 10th, when it releases the next Tuesday security update.
- Google’s Chrome is Infected with Critical Zero-Day Vulnerability. Update Immediately
- Microsoft Disclosed 7 Critical Windows 10 Vulnerabilities and Two Zero-day Exploit
- Hackers Can Use Simple Text message to Break into your iPhone
- Tor Project Works to Patch a Bug Causing DDoS Attacks On Darknet Sites