Google disclosed a zero-day vulnerability in Windows 10 last month, and it's currently being used in the wild.
The security flaw, filed as CVE-2020-17087, puts both Windows 10 and Windows 7 at risk. Google gave Microsoft the standard 7-day notice to patch the issue, but a week has come and gone with no solution. As a result, Google's Project Zero security team published its findings publicly.
Without getting too deep into the technical bits, this flaw allows bad actors to escalate what type of user access they have in a system. Used alongside a bug in Chrome (that Google already resolved), the vulnerability would allow hackers to plant malware on a Windows 10 PC.
Project Zero’s technical lead Ben Hawkes tweeted that Microsoft plans to issue a patch on November 10, or about a week after the issue was disclosed.
"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers," Microsoft said in a statement to TechCrunch.
It continued, "While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."
Google says the vulnerability is being actively exploited but it's unclear who is behind the attacks. As reported by TechRadar, Google's director of threat, Shane Huntley, says the attacks were "targeted" and not linked to the ongoing U.S. presidential election.
While this all might sound very concerning, the risk level of most Windows 10 users is very low. As Huntley stated, these are targeted attacks, which likely means they are aimed at high-profile users, like celebrities. You don't need to take any drastic action but we do recommend installing anti-virus on your PC to keep your files protected until Microsoft pushes out a fix about a week from today.
