Google has disclosed the vulnerability its security team has found on Windows 7 up to Windows 10 after Microsoft failed to fix it.
Microsoft confirmed an unpatched zero-day vulnerability, which is affecting every version of Windows operating systems from Windows 7 up to Windows 10. This is being targeted by attackers right now, according to Google's Project Zero team.
According to a Microsoft spokesperson, they tried to work to meet all disclosure deadlines such as short-term deadlines like the Google Project Zero's seven-day disclosure deadline. It developed a security update, which balances timeliness and quality. "Our ultimate goal is to help ensure maximum customer protection with minimal customer disruption," the spokesperson told Forbes.
CVE-2020-17087 effects
However, even if attackers have been actively targeting Windows systems, it does not mean the system will be shut down. According to a tweet from Project Zero Technical lead Ben Hawkes, Google's Threat Analysis Group Director Shane Huntley noted that attackers have been exploiting the vulnerability without targeting U.S. election-related systems.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting. — Ben Hawkes (@benhawkes) October 30, 2020
Microsoft has not yet revealed when a security patch will be applied to avoid the Windows vulnerability exploitation, Hawkes noted on his tweet that it can be included on November 10's Patch Tuesday updates.
Although Microsoft confirmed the reported attack, it suggests that there is no indication of this has widespread exploit, but just limited target scope. Meanwhile, the attack itself requires two vulnerabilities combined to launch a successful exploit.
However, one of them was already patched: CVE-2020-15999, a browser-based vulnerability found in Chrome browsers, which also includes Microsoft Edge. Also, as long as the browser is updated, the system is protected. Google Chrome has been updated on October 20 while Microsoft Edge was updated on October 22.
Currently, there is no known attack for Windows vulnerability. However, this does not mean the machine is completely safe as a cybercriminal with access to the already compromised system could still exploit it, although the vulnerability cannot affect cryptographic functionality.
"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers," said the Microsoft spokesperson.
Meanwhile, this zero-day attack also poses significant risks such as password reuse, phishing as well as lack of two-factor authentication.
Related article : US Cyber Command Discovers 8 New Russian Malware Targeting Embassies
This is owned by Tech Times
Written by CJ Robles
