Shane Huntley, Director of Google’s Threat Analysis Group was quick to announce that, “that this is targeted exploitation and this is not related to any US election-related targeting.”
As the vulnerability, CVE-2020-17087 was tracked it became clear that it allowed attackers to escalate and obtain system privileges. This security bug only affected Windows 7 and Windows 10.
The hack attackers were using a combination of two exploits which targeted a previously patched flaw in Chrome. This allowed the first malicious exploit to escape a security sandbox in order to allow the second to execute code on vulnerable machines.
Microsoft patched the bug got
Project Zero technical lead Ben Hawkes explained that the disclosure was made early in order to protect existing users who were being exploited.
The short deadline for in-the-wild exploit may serve as an incentive for the development of “out-of-band patches” or other mitigations being more quickly developed and shared.
On November 10, Microsoft provided security updates for all impacted Windows platforms on the MSRC (Microsoft Security Response Center) portal.
