Google has dropped details of a previously undisclosed vulnerability in Windows, which it says hackers are actively exploiting. As a result, Google gave Microsoft just a week to fix the vulnerability. That deadline came and went, and Google published details of the vulnerability this afternoon.
The vulnerability has no name but is labeled CVE-2020-17087, and affects at least Windows 7 and Windows 10.
Google’s Project Zero, the elite group of security bug hunters which made the discovery, said the bug allows an attacker to escalate their level of user access in Windows. Attackers are using the Windows vulnerability in conjunction with a separate bug in Chrome, which Google disclosed and fixed last week. This new bug allows an attacker to escape Chrome’s sandbox, normally isolated from other apps, and run malware on the operating system.
Microsoft did not immediately comment when contacted by TechCrunch, but Project Zero’s technical lead Ben Hawkes said in a tweet that Microsoft plans to issue a patch on November 10.
But it’s unclear who the attackers are or their motives. Google’s director of threat intelligence Shane Huntley said that the attacks were “targeted” and not related to the U.S. election.
It’s the latest in a list of major flaws affecting Windows this year. Microsoft said in January that the National Security Agency helped find a cryptographic bug in Windows 10, though there was no evidence of exploitation. But in June and September, Homeland Security issued alerts over two “critical” Windows bugs — one which had the ability to spread across the internet, and the other could have gained complete access to an entire Windows network.
