Security News > 2020 > November > Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability disclosed by Google's Project Zero at the end of last month.

The CVE-2020-17087 driver bug was also exploited with CVE-2020-15999, a remote-code exec vulnerability in Chrome's font-parsing code, to also hijack targeted people's PCs. All three bugs are now patched; installing the latest software updates fixes them.

"One of the most notable fixes in this month's release is for CVE-2020-17087, an elevation-of-privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability in the FreeType 2 library used by Google Chrome," Satnam Narang, staff research engineer at security biz Tenable told The Register.

"The elevation-of-privilege vulnerability was used to escape Google Chrome's sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year."

Judging from the above - and that Apple patched exploited-in-the-wild bugs, found by Google Project Zero, in its font parser and kernel code - one might assume someone highly skilled or some top-tier group has lately taken a particular interest in hijacking people's computers and devices via malicious webpages and documents.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/11/patch_tuesday_updates/