A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer.
The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company.
Although the ramifications of the security flaw sound scary, Microsoft is urging caution for the time being. The technology giant has claimed that any threat is limited, with no evidence of widespread exploits taking place. As of yet, there is also no indication that attackers are using the exploit to target the US presidential election.
A patch is coming
One of the reasons why Microsoft can be so calm regarding the vulnerability (tracked as CVE-2020-17087) is that in order to be exploited, it requires another vulnerability, CVE-2020-15999. This earlier bug is browser-based and has already been patched. So, if your browser is up-to-date, you should be protected.
Microsoft has not commented on when a patch for the newly-discovered vulnerability is likely to be launched, but it wouldn’t be a surprise if it was packaged within the Patch Tuesday update set to be released on November 10. A Microsoft spokesperson told Forbes that “developing a security update is a balance between timeliness and quality,” which is why the Project Zero deadline was missed.
Any zero-day exploit is understandably a cause for concern but perhaps Microsoft is right not to be too panicked over this one. As long as Windows users make sure their browsers are updated, they’ll probably be fine until the patch arrives.