Home / Tech / News / Google discloses zero-day flaw in Windows that’s being used in the wild

Google discloses zero-day flaw in Windows that’s being used in the wild

A bug in the Windows kernel could be exploited to elevate an attacker's code with additional permissions, Google's Project Zero team warns

Google said that these hackers would prompt users to install a legitimate version of the McAfee software from GitHub and on the side the malware was surreptitiously installed into the system. Google said that these hackers would prompt users to install a legitimate version of the McAfee software from GitHub and on the side the malware was surreptitiously installed into the system.
Google said that these hackers would prompt users to install a legitimate version of the McAfee software from GitHub and on the side the malware was surreptitiously installed into the system. (Pixabay)

Google’s Project Zero team has released details of a critical vulnerability in Windows. The security researchers said that hackers are actively exploiting the vulnerability. Microsoft will reportedly issue a patch to fix the vulnerability by November 10.

What is the vulnerability?

IDed as CVE-2020-117087, the vulnerability allows hackers to escalate system privileges. Hackers also leveraged another a Chrome zero-day, tracked as CVE-2020-15999, to conduct the attacks.

More From This Section

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” said Google in a post.

ALSO READ: Russian hackers attack US state and local government networks, US govt says

Who is affected?

Google’s Project Zero team confirmed that the vulnerability CVE-2020-17087 affects Windows 7 and Windows 10 users.

Why Google disclosed it?

Google’s Project Zero team periodically discloses vulnerabilities. The team also informs the affected company to fix the security flaw.

In this case, Google gave Microsoft a seven-day deadline to fix the security flaw as it was being used in the wild.

Traditionally, the security team gives at least a 90-day deadline to fix the flaw. It publishes the vulnerability once the patch is available or the deadline has expired, whichever happens first.

ALSO READ: Hackers posed as McAfee staff to trick users into installing malware

What is Microsoft doing?

Techcrunch, however, reports Microsoft has not confirmed the date.

“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption,” the company said in a statement.

Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.