The head of Google’s Project Zero has disclosed a zero-day bug in Windows OS, which is being actively exploited. The vulnerability affects Windows 7 to Windows 10 OS and forms a two-part attack combined with a Chrome bug. While Chrome’s issue has been resolved with an update, Microsoft is yet to respond to its Windows bug.

Windows Bug Allows For RCE Attack

Google Revealed a Zero-Day Bug Affecting Windows OS
Google Revealed a Zero-Day Bug Affecting Windows OS

While vulnerabilities in softwares are common these days, a reliable OEM is determined by the time he has taken to patch that vulnerability. Security researchers and bug hunters disclose anything they discovered to the concerned OEM for credits, but if they failed to respond within the stipulated time, they proceed to publish anyway.

One such publication is by Google, whose Project Zero team has published a report of Window vulnerability. The lead of the team, Ben Hawkes, has tweeted about a zero-day bug in Windows, tracked as CVE-2020-17087. This could be the part of a two-stage attack, where an attacker can chain it to a bug in Google’s Chrome (CVE-2020-15999).

The Chrome bug discovered last week will let an attacker execute a malicious code and has been addressed with a Chrome update (v86.0.4240.111) last week. He now surfaced a bug in the Windows kernel, affecting all versions from Windows 7 to Windows 10 systems. This lets an attacker execute the malicious code in Windows OS by escaping Chrome’s container.

Termed as Sandbox Escape, an attacker can exploit both the bugs to run a malicious code in outdated Chrome and eventually pass into the underlying system OS. While Ben has informed Microsoft last week and given them a week to respond with a patch, Microsoft hasn’t shown up yet. Thus, he now documented the issue with a proof of concept code.

This revelation was even upvoted by Shane Huntley, the director of Google’s Threat Analysis Group (TAG). While Ben hasn’t mentioned who exploits the bugs, they could mostly be the nation-state backed hackers. Microsoft may come up with a patch for this on November 10th, when it releases the next Tuesday security update.

Related Articles


Please enter your comment!
Please enter your name here