Microsoft has confirmed that an unpatched zero-day vulnerability in the Windows operating system that affects all versions from Windows 7 through Windows 10 is being actively addressed. Microsoft was first informed of the vulnerability by Google’s Project Zero team, a dedicated unit made up of leading vulnerability hunters that detects these so-called zero-day vulnerabilities. Since Project Zero found the security issue was being actively exploited by attackers in the wild, Microsoft had only seven days to fix it before disclosure. Microsoft has not released a security patch during this extremely restrictive period, and Google has released details of the zero-day vulnerability tracked as CVE-2020-17087.
The error itself is in the Windows Kernel Cryptography Driver (cng.sys) and could allow an attacker to extend the permissions when accessing a Windows computer. For the full technical detail, see the Google Project Zero disclosure. In simpler terms, however, it is a memory buffer overflow problem that could allow an attacker to take control of the target Windows computer at the administrator level.
It is known that attackers are currently actively targeting Windows systems. However, this does not mean that your system is down. First of all, I would like to point out that
Shane Huntley, director of Google’s Threat Analysis Group, says the attackers who exploited the vulnerability are not currently targeting US election systems. This is good news and there is more.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.— Ben Hawkes (@benhawkes) October 30, 2020
While Microsoft has confirmed that the reported attack was a real attack, it also indicates that the scope of the attack is inherently limited. At least this is not yet a widespread exploit. Microsoft claims to have no evidence of widespread exploits.
MORE FROM FORBESNew Windows 10 Remote Hacking Threat Confirmed – Homeland Security to Update NowBy Davey Winder
Then there is the attack itself, in which two vulnerabilities have to be chained together for a successful exploit to take place. One of them has already been patched. This was a browser-based vulnerability, CVE-2020-15999, in Chrome browsers, including Microsoft Edge. As long as your browser is up to date, you are protected. Microsoft Edge was updated on October 22nd, while Google Chrome was updated on October 20th.
No other attack chains for the Windows vulnerability are currently known. This does not mean that your computer is 100% secure, as an attacker with access to an already compromised system can still exploit it. However, it does mean there is no need to press the panic button to be honest. Microsoft has also confirmed that the vulnerability could not be exploited to compromise cryptographic functionality.
I reached out to Microsoft and a spokesperson told me, “Microsoft has a customer responsibility to investigate reported security issues and update affected devices to protect customers.”
Regarding this seven-day disclosure period from the Google Project Zero team, the Microsoft spokesman said, “While we are working to meet all researchers’ disclosure deadlines, including short-term deadlines like this scenario, developing a security update is a balance between timeliness and quality, and our primary goal is to ensure maximum customer protection with minimal customer disruption. ”
Although Microsoft has not commented on the likely timing of a security patch to prevent the exploitation of this Windows vulnerability, Project Zero technical director Ben Hawkes has tweeted that it is expected to be part of the Patch Tuesday updates on November 10th.
What is the threat to the average Windows user? That remains to be seen, but for now I would classify it as a mindful but not a panic situation. Hang-Fire, make sure your web browsers are up to date and you should be fine. In my humble opinion, your data is at far greater risk than this zero-day attack. Risks like phishing in all forms, password reuse, lack of two-factor authentication, and software that is not kept up to date with security patches.
MORE FROM FORBESHackers upload their own fingerprints to the scene of the stupidest cyber attack everBy Davey Winder
These were the details of the news Windows 10 users take note – Google’s new hacking attack, Microsoft... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.