Researchers with Google’s Project Zero have disclosed a vulnerability in the Windows kernel being exploited in the wild with a known, patched Google Chrome flaw in targeted attacks.
CVE-2020-17087 exists in the Windows Kernel Cryptography Driver and “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” researchers explain in a Chromium entry.
Source code for a proof-of-concept program was tested on an updated build of Windows 10; however, the flaw is believed to be present as early as Windows 7.
The vulnerability is being used along with CVE-2020-15999, a heap buffer overflow vulnerability that exists in Chrome’s implementation of FreeType, a common font rendering library. Project Zero