Google has revealed the details on a new zero-day Windows bug that it says is currently being exploited by hackers.
The vulnerability, currently unnamed, has been classified as CVE-2020-17087. Google's security outfit Project Zero took to its Chromium repository to post the vulnerability, and asked Microsoft to resolve the issue in one week. Microsoft did not, so the vulnerability has been published for all to see.
Windows 10 and Windows 7 are both affected by this bug, which lets potential attackers continually escalate the type of user access they have in Windows. Would-be bad actors are utilizing this vulnerability in tandem with a bug in Chrome that Google disclosed and resolved the week prior. The bug being discussed this week allows potential attackers to exit Chrome and execute malware on Windows 10.
Microsoft has made plans to issue a patch on Nov. 10, according to Project Zero's technical lead, Ben Hawkes. However, Microsoft would not confirm that date to TechCrunch when asked for comment.
"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers," the company said in a statement. "While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."
The spokesperson added that the attack is "very limited and target in nature" and that there has been no evidence seen that would "indicate widespread usage."
- Ransomware Attack Forces Baltimore County Public Schools to Cancel Classes
- Apple's Head of Global Security Charged With Bribery
- Christian Faith App Pray.com Leaks Personal Details of Up to 10M Users
- Police Arrest 2 Romanians for Helping Hackers Beat Antivirus Programs
- More in Security