Google’s Project Zero has released Proof of Concept code for a buffer overflow vulnerability in the Windows 10 kernel which can be exploited for local privilege escalation to run malware on the operating system. When combined with a recently patched flaw in Chrome this would allow web malware to escape the Chrome sandbox and take complete control of a PC.
Google said the flaw (CVE-2020-17087) was being exploited in the wild and gave Microsoft only 7 days to patch it, a deadline which has unsurprisingly passed without a patch.
According to Project Zero’s technical lead Ben Hawkes, Microsoft plans to issue a patch on November 10.
While the flaw is being exploited in the wild, both Google and Microsoft said the attacks were “targetted”, though not related to the US Election.
A Microsoft spokesperson said the reported attack is “very limited and targeted in nature, and we have seen no evidence to indicate widespread usage.”
Of course, now the Proof of Concept code has been released this is likely not to be the case anymore.
The flaw is believed to affect Windows versions dating all the way back to Windows 7, and also all fully patched versions of Windows 10.
In a statement Microsoft said:
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”