A “serious” Windows 0-day is being actively exploited in the wild
Google security officials are advising Windows users to ensure they’re using the latest version 10 of the Microsoft operating system to protect themselves against a “serious” unpatched vulnerability that attackers have been actively exploiting in the wild.
Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday. While that specific exploit combination won’t be effective against Chrome users who are running the latest browser version, the Windows exploit could still be used against people running older versions of Windows. Google researchers privately reported the vulnerability to Microsoft, in keeping with its vulnerability disclosure policy.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks,” Clement Lecigne, a member of Google’s Threat Analysis Group, wrote in a blog post published Thursday. “The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.”