Security researchers from the Google Project Zero team have identified a zero-day vulnerability in the Windows kernel that appears to be actively exploited.
The zero-day vulnerability, identified by code CVE-2020-17087, was exploited as part of a two-stage attack, along with another Chrome zero-day vulnerability, CVE-2020-15999, that fixed in Chrome version 86.0.4240.111, released last week. The Chrome flaw was exploited to allow malicious code to run inside the browser, while the Windows flaw allowed them to break out of Chrome’s secure sandbox and execute code on the underlying operating system.
Although the vulnerability was found only eight days ago, experts decided to quickly disclose the details of the problem since hackers are already using it. Researchers have not yet disclosed details about these attacks, but according to the head of Google Project Zero, Ben Hawkes, the operation of CVE-2020-17087 has nothing to do with the US presidential election.
Project Zero shared their findings with Microsoft last week, giving Microsoft seven days to fix the bug. Since the Redmond giant has not yet released a corrective patch within the deadline set by Project Zero, details of the vulnerability have been publicly disclosed.
This is not the first time that a zero-day Windows and a Chrome vulnerability have been exploited together to conduct an attack. It already happened in March 2019 with the CVE-2019-5786 of Chrome and CVE-2019-0808 of Windows.