Google has disclosed the vulnerability its security team has found on Windows 7 up to Windows 10 after Microsoft failed to fix it.

Microsoft confirmed an unpatched zero-day vulnerability, which is affecting every version of Windows operating systems from Windows 7 up to Windows 10. This is being targeted by attackers right now, according to Google's Project Zero team.

The weakness is found inside the cng.sys or the Windows Kernel Cryptography Driver. This could allow the hacker to intensify his rights once they access a Windows computer. Google published the full technical details, but it is simply a problem in memory buffer-overflow, which would provide the attacker with an admin-level control over the victim's Windows computer.

Window's 10 new hacker attack: zero-day vulnerability

Google's dedicated unit is comprised of zero-day security bugs hunters who first notified Microsoft about the weakness and gave the tech giant seven days to fix it before disclosing it to the public. Project Zero gave Microsoft a seven-day deadline after it found that the vulnerability was currently being exploited by cyber attackers.

Since Microsoft was not able to release a security patch within such limited timeframe, Google published the zero-day vulnerability information as tracked as CVE-2020-17087.

According to a Microsoft spokesperson, they tried to work to meet all disclosure deadlines such as short-term deadlines like the Google Project Zero's seven-day disclosure deadline. It developed a security update, which balances timeliness and quality. "Our ultimate goal is to help ensure maximum customer protection with minimal customer disruption," the spokesperson told Forbes.

Read also: Twitter Distributes Phishing-Resistant Security Keys to Employees to Prevent Another High-Profile Attack

CVE-2020-17087 effects

However, even if attackers have been actively targeting Windows systems, it does not mean the system will be shut down. According to a tweet from Project Zero Technical lead Ben Hawkes, Google's Threat Analysis Group Director Shane Huntley noted that attackers have been exploiting the vulnerability without targeting U.S. election-related systems.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting. — Ben Hawkes (@benhawkes) October 30, 2020

Microsoft has not yet revealed when a security patch will be applied to avoid the Windows vulnerability exploitation, Hawkes noted on his tweet that it can be included on November 10's Patch Tuesday updates.

Although Microsoft confirmed the reported attack, it suggests that there is no indication of this has widespread exploit, but just limited target scope. Meanwhile, the attack itself requires two vulnerabilities combined to launch a successful exploit.

However, one of them was already patched: CVE-2020-15999, a browser-based vulnerability found in Chrome browsers, which also includes Microsoft Edge. Also, as long as the browser is updated, the system is protected. Google Chrome has been updated on October 20 while Microsoft Edge was updated on October 22.

Currently, there is no known attack for Windows vulnerability. However, this does not mean the machine is completely safe as a cybercriminal with access to the already compromised system could still exploit it, although the vulnerability cannot affect cryptographic functionality.

"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers," said the Microsoft spokesperson.

Meanwhile, this zero-day attack also poses significant risks such as password reuse, phishing as well as lack of two-factor authentication.

Related article: US Cyber Command Discovers 8 New Russian Malware Targeting Embassies

This is owned by Tech Times

Written by CJ Robles