Kudos0

Windows Zero-Day CVE-2020-17087 (to be patched 10-Nov-2020) Actively Exploited and Using Unpatched Chrome/ChrEdge Browsers

The Windows zero-day elevation of privileges (EoP) vulnerability CVE-2020-17087 is being actively exploited in the wild and likely affects Win 7 and higher systems.  This vulnerability will not be patched until the next Patch Tuesday on 10-Nov-2020 and there is now evidence that this EoP vulnerability in the Windows Kernel Cryptography Driver can use Chrome and MS ChrEdge browsers that have not received the 20-Oct-2020 patch for a second Chrome zero-day CVE-2020-15999 (a heap buffer overflow in the FreeType text rendering library) to facilitate the attack.  From Catalin Cimpanu's 30-Oct-2020 ZDNet artcle Google Discloses Windows Zero-Day Exploited in the Wild:

"...The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome's secure container and run code on the underlying operating system — in what security experts call a sandbox escape.

The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug. Details were published today, as Microsoft did not release a patch in the allotted time...."

Sergiu Gatlan's 30-Oct-2020 BleepingComputer article Windows Kernel Zero-Day Vulnerability Used in Targeted Attacks notes that these ongoing attacks are not widespread, but I would still advise that Chrome and ChrEdge users ensure they have Chrome v86.0.4240.111 (released 20-Oct-2020, release notes <here>) and/or MS ChrEdge v86.0.622.51 (rel. 22-Oct-2020, see security advisory ADV200002) or later to patch the CVE-2020-15999 vulnerability in the FreeType library. Sergiu Gatlan's earlier article New Google Chrome Version Fixes Actively Exploited Zero-Day Bug has more information about this Chrome vulnerability.

Kudos the Susan Bradley for posting about these exploits in the AskWoody thread Patch Lady – Targeted Attacks Using Zero Day.