On Tuesday, tech giant Microsoft released its monthly roll-up of security fixes known as Patch Tuesday. In November, the software conglomerate patched 112 security flaws across an extensive range of products, from Microsoft Edge to the Windows WalletService.
This month’s fix also comprises a patch for a Windows zero-day flaw.
The zero-day, tracked as CVE-2020-17087, was revealed on October 30 by the Google Project Zero and TAG security teams. The search engine giant said the flaw was being abused together with a Chrome zero-day to target Windows 7 and Windows 10 users.
Cybercriminals would use the Chrome zero-day to run malevolent code inside Chrome and then use the Windows zero-day to leave the Chrome security sandbox and raise the code’s privileges to attack the primary OS.
Google found the zero-day around mid-October and gave Microsoft seven days to issue a patch. Since releasing a security fix for any Microsoft product —and particularly the huge Windows OS— takes time to test and modify, the cover was not ready during the original seven-day revelation timeline. But it is available starting Thursday.
As per Microsoft’s security advisory for CVE-2020-17087, the zero-day exists in the Windows kernel and affecs all presently supported versions of the Windows OS. This includes all versions after Windows 7, and all Windows Server distributions.
While rushing to install patches is a benign method for most users, system administrators of huge networks are counseled to test the fixes before an extensive rollout to circumvent any flaws or changes that disrupt internal systems.