This week’s Patch Tuesday included an array of updates to plug software security gaps. Microsoft released patches for 112 separate security flaws, included a fix for a zero-day threat that targeted Windows 7 and Windows 10 users, known as CVE-2020-17087.
What do we know about the CVE-2020-17087 threat?
The threat was “red-flagged” as under active exploitation by hackers. The Chrome zero-day was used to execute malicious code within Chrome, at which point hackers would then use a Windows zero-day to avoid the Chrome security sandbox. The code’s privileges were then used to attack the operating system.
Microsoft has not released further details. The advisory around this bug is rather limited, as Microsoft aims to keep its advisory format more in line with the Common Vulnerability Scoring System (CVSS) format, which aligns with industry standards maintained by other software vendors. However, this new format means the removal of certain information, making it more challenging to assess the criticality of a given patch. Curious about the advisory format shift? Check out this Microsoft blog post.
When was the threat discovered?
Google observed the zero-day threat in mid-October. The complexity of testing and fine-tuning of a patch led to a prolonged patch development timeline. But a patch is now available.
In installing this patch, be sure to test it ahead of broad rollout. Doing so will ensure that it is compatible with your larger network.
For more on this story, visit ZDNet.