Attackers use zero-day exploits to penetrate systems and pursue the complete compromise of target networks. More sophisticated actor groups employ multiple exploits in an attack chain to overcome security measures in modern operating systems and applications.
Microsoft was made aware of a targeted campaign exploiting multiple vulnerabilities in late October 2020. The attackers used a remote code execution (RCE) vulnerability in Google Chrome and other Chromium-based browsers (CVE-2020-15999), as well as a separate elevation of privilege (EOP) vulnerability (assigned CVE-2020-17087) in the Windows Kernel Cryptography Driver, to execute code in the browser and escape the Chrome application sandbox.
Microsoft is closely monitoring use of this attack chain as well as publicly available proof-of-concept (PoC) exploit code that might indicate further attempts to exploit these vulnerabilities. As of the time of publishing, Microsoft has not observed any attempts to exploit these vulnerabilities in other attacks.
Google has issued a patch for CVE-2020-15999 in Chrome browser, and Microsoft has issued a patch for CVE-2020-15999 in Microsoft Edge. Both patches addressing the RCE should be applied immediately. All Chromium-based browsers should be updated to their latest versions.
In addition, customers should apply security updates for CVE-2020-17087 as soon as they are available. Microsoft plans to provide security updates that address this vulnerability with the November 2020 Security Updates. Customers utilizing automatic updates don’t need to take additional actions. Enterprises that manually manage updates should select the latest security updates and deploy them across their environments.