Google publishes details of Windows zero today being actively abused

Google Project Zero has revealed a zero-day vulnerability in Windows 7 to 10 because, according to the company, it is already being actively used in practice. The local vulnerability resides in the Windows Kernel Cryptography Driver and can lead to privilege escalation.

Google says it “believes” the vulnerability has been around since at least Windows 7, but at least works on a machine with an up-to-date Windows 10 build 1903, 64-bit. Google has a detailed description of the vulnerability and exploit, including the source code of a proof of concept program. The vulnerability has designation CVE-2020-17087. Google does not provide evidence that the vulnerability is being exploited.

Google states that it has given Microsoft seven days to fix this vulnerability. The deadline is said to be so short because of the signs that it is already being used in the wild. Microsoft has not released a fix at this time. This is expected to happen on Nov. 10, Microsoft’s next Patch Tuesday, The Register writes. Microsoft says in a response that ‘developing a security update is always a tightrope walk between speed and quality’.

The Register also writes that Microsoft does note that the vulnerability is actually not that bad because it must be part of a chain of exploits. This is a local vulnerability, so an attacker must first gain local access to a Windows machine. The only known link in the chain that would make this possible, a Chromium vulnerability with designation CVE-2020-15999, has already been fixed earlier this month.