Google discloses Zero-day bug exploited in the wild
The security hole isn’t
expected to be plugged until the forthcoming Patch Tuesday bundle of security
fixes
Google’s Project Zero researchers have disclosed details about a zero-day vulnerability in Windows that they say is being exploited by attackers.
The memory-corruption flaw
resides in the Windows Kernel Cryptography Driver (cng.sys) and, according to
Google, “constitutes a locally accessible attack surface that can be exploited
for privilege escalation (such as sandbox escape)”.
The researchers also released proof-of-concept (PoC) code that they’d tested out on a recent version of Windows 10 (version 1903, 64-bit) and believe that the security bug could have been around since Windows 7, potentially meaning that all versions from Windows 7 through 10 could be affected.
Per media reports, the flaw is being exploited in conjunction with another zero-day, which is indexed as CVE-2020-15999 and affects FreeType, a widely used software development library that is also part of the Google Chrome web browser.
Google reported the discovery of the newly-found bug, which is tracked as CVE-2020-17087, to Microsoft, but since it found evidence of the loophole being exploited in the wild, it opted for a seven-day disclosure deadline.
The patch is still
a few days away
Currently, the security loophole doesn’t have a patch, but Project Zero’s technical lead Ben Hawkes tweeted that they do expect one to be released on November 10th, which coincides with the upcoming Patch Tuesday.
Complete article on: