Security News > 2020 > November > Microsoft fixes Windows zero-day disclosed by Google last month

Microsoft fixes Windows zero-day disclosed by Google last month
2020-11-10 13:50

Microsoft has fixed today a Windows kernel zero-day vulnerability exploited in the wild as part of targeted attacks and publicly disclosed by Project Zero, Google's 0day bug-hunting team, last month.

According to Project Zero researchers Mateusz Jurczyk and Sergei Glazunov who discovered it, the security flaw currently tracked as CVE-2020-17087 is a pool-based buffer overflow found in the Windows Kernel Cryptography Driver.

Project Zero provided a PoC exploit when it disclosed the bug on October 30, 2020, that can be used to crash unpatched Windows devices even for default system configurations.

The ongoing attacks exploiting this zero-day detected by Project Zero last month were not related to the U.S. election according to Google's TAG group which researches government-backed attacks targeting the company's users.

Due to the vulnerability being actively exploited in the wild, Project Zero disclosed it way before the default 90-day disclosure deadline was reached, after 7 days of being added to the Project Zero issue tracker.


News URL

https://www.bleepingcomputer.com/news/security/microsoft-fixes-windows-zero-day-disclosed-by-google-last-month/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-11 CVE-2020-17087 Incorrect Calculation of Buffer Size vulnerability in Microsoft products
Windows Kernel Local Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-131
7.8

Related vendor