Researchers with Google's Project Zero have disclosed a vulnerability in the Windows kernel being exploited in the wild with a known, patched Google Chrome flaw in targeted attacks.
CVE-2020-17087 exists in the Windows Kernel Cryptography Driver and "constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)," researchers explain in a Chromium entry.
Source code for a proof-of-concept program was tested on an updated build of Windows 10; however, the flaw is believed to be present as early as Windows 7.
The vulnerability is being used along with CVE-2020-15999, a heap buffer overflow vulnerability that exists in Chrome's implementation of FreeType, a common font rendering library. Project Zero disclosed this flaw with a patch in late October, warning it was being exploited in the wild.
Project Zero typically discloses flaws after 90 days or when a fix is available. In this case, they disclosed seven days after notifying Microsoft because it's being exploited in the wild. The team expects a patch for CVE-2020-17087 will be issued on Nov. 10, the same day as Microsoft's monthly Patch Tuesday rollout.
In a series of tweets, Project Zero technical lead Ben Hawkes wrote a few comments defending the release: "We think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonably unlikely." So far the bug has been used as part of an exploit chain, and the entry point has been fixed.
Shane Huntley, director of Google's Threat Analysis Group (TAG), has confirmed this is targeted exploitation and not linked to any US election-related targeting. So far, no other details about the active attacks have been released.