New zero-day bug puts Windows OS at threat, reveals Google

A team of Google security researchers has revealed a zero-day vulnerability in the Microsoft Windows operating system that is under active exploitation.

According to Google project Zero technical lead Ben Hawkes, the zero-day vulnerability is expected to be patched on November 10.

“In addition to last week’s Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape,” Hawkes said in a tweet on Friday.

“Currently we expect a patch for this issue to be available on 10 November,” he added.

10 November is also the date of Microsoft’s next security Patch.

“We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley that this is targeted exploitation and this is not related to any US election related targeting,” Hawkes informed.

The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug, reports ZDNet.

The zero-day bug in the Windows kernel can be exploited to elevate an attacker’s code with additional permissions.

The vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10.

Microsoft was yet to comment on the new zero-day bug.

In March last year, Google said that threat actors have also combined a Chrome zero-day with a Windows zero-day vulnerability.

Google also made public the details of a medium-level security flaw in Microsoft Edge browser in 2018. The vulnerability was first discovered in November 2017 by the search giant’s Project Zero.