A zero-day bug in Windows 7 and 10 is actively exploiting the vulnerabilities in the older versions of the operating system, revealed Google in a technical report last week. The Google Project Zero team notified Microsoft and expected the company to form a patch in a week.
On October 30, 2020, Ben Hawkes, team lead of Project Zero, Google, tweeted that the zero-day patch will be available on November 10.
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020
The security team from Google shared details of the bug and a series of tweets about Windows zero-day bug (labelled CVE-2020-17087). A zero-day bug is a vulnerability in computer software that does not have any previously known malware signatures. The bug is being “used in the wild”, said Google in its report on October 22.
Hawkes revealed that the zero-day freetype was being used as a partnering attack with Chrome zero-day (labelled CVE-2020-15999), which the team had identified last week. Google had then deployed a security patch for the same in a stable version of Google Chrome update.
How are Windows 7 and 10 impacted?
Windows zero-day is present in the Windows kernel, which attackers can use to run malware on the operating system with additional permissions. According to Google’s report, the attackers used the Chrome bug to run malicious code inside Chrome browser. Windows zero-day allowed them to access vulnerabilities in the operating system, after escaping Chrome’s secure container in a sandbox escape.
The problem is present in all Windows 7 and some versions of Windows 10 operating systems. However, both the companies are unaware of the information or motives of the attackers as of now. Google’s Director of Threat Analysis Shane Huntley cleared that the reported attacks were targeted exploitation and were unrelated to the ongoing US elections.
Though Microsoft has not commented on the zero-day bug yet, the company said in a statement, “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
A spokesperson from Microsoft also added that the attack is very limited and targeted in nature, and that they have seen no evidence of widespread usage of the vulnerability.