Google's Project Zero security research team disclosed a Windows zero-day vulnerability, which they says is being actively exploited in attacks along with already patched bug in Google Chrome.

As per Google’s report, the Windows zero-day tracked as CVE-2020-17087, resides in the Windows kernel and allows an attacker to elevate their privileges on the system. The vulnerability affects at least Windows 7 and Windows 10.

According to the researchers, attackers are using this flaw together with separate bug in Chrome (CVE-2020-15999), which Google fixed last month. CVE-2020-15999 is described as a heap buffer overflow bug in FreeType rendering engine. The vulnerability “exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts,” and can be exploited with specifically crafted fonts with embedded PNG images.

In the observed attacks the Chrome vulnerability was used to run malicious code inside Chrome, while CVE-2020-17087 was exploited for sandbox escape.

Google has not revealed the nature of attacks or who might have been behind them, the company only said that “this is targeted exploitation and this is not related to any US election related targeting.” According to a Microsoft spokesperson, the reported attack is “very limited and targeted in nature, and we have seen no evidence to indicate widespread usage.”

The Google Project Zero team contacted Microsoft last week and gave the company seven days to patch the bug. Since Microsoft has not yet provided a fix, the researchers published the details on the vulnerability.

The CVE-2020-17087 flaw is expected to be patched on November 10 as part of Microsoft’s November Patch Tuesday release.