Google has revealed the details on a new zero-day Windows bug that it says is currently being exploited by hackers.
The vulnerability, which is yet unnamed, has been classified as CVE-2020-17087. Google’s security outfit Project Zero took to its Chromium repository to post the vulnerability, asking Microsoft to resolve the issue in one week. Microsoft failed to do so, and as such the vulnerability has been published for all to see.
Windows 10 and Windows 7 platforms are both affected by this bug, which lets potential attackers continually escalate the type of user access they have in Windows. Would-be bad actors are utilizing this vulnerability in tandem with a bug in Chrome that Google previously both disclosed and resolved the week prior. The bug being discussed this week allows potential attackers to abscond from Chrome and execute malware on Windows 10.
Microsoft has made plans to issue a patch on November 10, according to Project Zero’s technical lead Ben Hawkes. However, Microsoft did not confirm or deny this date to TechCrunch when asked for comment.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers,” the company said in a statement. “While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
The spokesperson added that the attack is “very limited and target in nature” and that there has been no evidence seen that would “indicate widespread usage.”