Google’s Project Zero, an elite team of security bug hunters, has revealed details of a vulnerability in Windows which they said hackers are taking advantage of. Google had given Microsoft a week’s deadline to fix the bug. When this deadline expired, Google went ahead to publish the details of the vulnerability.
There’s no particular name for this vulnerability, but it’s been tagged CE-2020-17087, and the word out there is that it affects Windows 7 and 10.
Revealing details of the vulnerability, the team claimed that this bug enabled hackers to escalate their level of access in Windows. They also said hackers are using this Windows vulnerability alongside a bug in Chrome, which Google has since fixed. The Chrome bug had allowed the hackers to escape Chrome’s sandbox that normally operates separately with other apps, thereby creating malware on the operating system.
Although Microsoft is yet to confirm when it plans to fix the bug, Project Zero’s technical lead, Ben Hawkes, said the security patch was expected less than two weeks from now on till November 10. Microsoft promptly reacted to Google’s statements.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers,” Microsoft’s statement read. “While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
While the identity of the attackers or their motives cannot be ascertained at this point, Google’s director of threat intelligence, Shane Huntley, confirmed that the attacks were not related to the US election. He said these attacks were targeted at specific systems.
A spokesperson for Microsoft aligned with the views of Huntley, confirming that the attacks were specific and not widespread.
This year has seen Microsoft fall prey to a long line of security flaws and vulnerabilities for its operating system. In January, the National Security Agency helped the company identify a cryptographic bug in Windows 10. However, there were no reports that hackers took advantage of this vulnerability.
Yet in June, the Department of Homeland Security identified two key Windows bugs, one of which had the ability to spread widely across the internet, and the other which could gain and take control of an entire Windows network.