Security News > 2020 > November > WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild

WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild
2020-11-02 01:43

Google has disclosed details of a new zero-day privilege escalation flaw in the Windows operating system that's being actively exploited in the wild.

The elevation of privileges vulnerability, tracked as CVE-2020-17087, concerns a buffer overflow present since at least Windows 7 in the Windows Kernel Cryptography Driver that can be exploited for a sandbox escape.

Project Zero has shared a proof-of-concept exploit that can be used to corrupt kernel data and crash vulnerable Windows devices even under default system configurations.

What's notable is that the exploit chain requires linking CVE-2020-17087 with another Chrome browser zero-day that was fixed by Google last week.

The Chrome zero-day involves a heap buffer overflow in the Freetype font library to run malicious code in the browser, but the newly revealed Windows zero-day makes it possible for an attacker to break out of Chrome's sandbox protections and run the code on Windows - also called a sandbox escape.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/1LiX8C0RJdg/warning-google-discloses-windows-zero.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-11 CVE-2020-17087 Incorrect Calculation of Buffer Size vulnerability in Microsoft products
Windows Kernel Local Elevation of Privilege Vulnerability
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995