Project Zero, the electronic security research team of Google, gave an ultimatum to Microsoft: there is a dangerous security flaw in Windows 10 and must be corrected immediately, because there are already hackers who are using it to attack PCs with this operating system. This is a "zero day" vulnerability, ie inherent in the code and not identified during development.
Normally, those who discover these flaws communicate it to those who developed the software, granting them 90 days time to publish a patch and close it before disclosing the details. In this case, however, the time allowed was much less, equal to only seven days, because the security bug is already been discovered by hackers, who are already using it. By exploiting this flaw, which in addition to Windows 10 also affects Windows 7, web criminals can remotely execute the dangerous code on PCs with these two Microsoft operating systems. The bug was assigned the code of CVE-2020-11787 and Google researchers discovered this while looking for the solution to another security problem, this time from Chrome.
CVE-2020-11787: why it's dangerous
Project Zero researchers have revealed the details of this vulnerability, aware that it is already known to hackers. Taking advantage of the bug CVE-2020-11787 you can get the system privileges on Windows and, consequently, do almost what you want on the attacked computer.
The attacks already carried out exploited CVE-2020-11787 along with another flaw, this time in Chrome browser, which was fixed in the latest application update that brings the version of Chrome or 86.0.4240.111. However, the first bug, that of Windows, remains to be solved.
According to Google, this vulnerability can lead hackers to bypass systems cryptography Windows, but Microsoft is not of the same opinion and does not seem to be in a hurry to publish the patch necessary to close the flaw.
Project Zero against Microsoft
The fact that Google's Projet Zero researchers have made this vulnerability public is clearly one way to go pressure on Microsoft, so that you can hurry up and correct it. But Microsoft says that not only is there no sign that the flaw has been exploited on a large scale by hackers, but also that it's not true that exploiting it can undermine the encryption system of Widows 7 and Windows 10.
The head of Project Zero, Ben Hawker, replied to Microsoft on Twitter saying clearly that the publication of the details on this vulnerability was done to "incentivize" the company to correct the serious problem. Hawkes, in another tweet, says that he expects the patch to arrive on November 10, that is the second Tuesday of the month which, as per Microsoft tradition, is the “Patch Tuesday”. That is the day in which Microsoft releases security updates for its products and services every month. Microsoft will actually release the patch for bug CVE-2020-11787 on November 10th.
Microsoft, meanwhile, is grappling with a another big security issue: that deriving from vulnerability ZeroLogon, for which he has already published the patch which, however, many have not yet downloaded and installed.Google uncovers another major Windows 10 security bug