Microsoft released a batch of security updates to patch a total of 112 vulnerabilities across multiple products, including a zero day flaw in Windows kernel, which was disclosed by Google Project Zero last week.
The zero day bug, tracked as CVE-2020-17087, is described as a privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The flaw impacts all currently supported versions of the Windows OS, including all versions after Windows 7, and all Windows Server distributions. According to Google Project Zero, this vulnerability has been used in targeted attacks in conjunction with already patched bug in Google Chrome (CVE-2020-15999). In the observed attacks the Chrome vulnerability was used to run malicious code inside Chrome, while CVE-2020-17087 was exploited for sandbox escape.
Besides the Windows zero day Microsoft addressed about two dozen high risk vulnerabilities in various products, including an RCE flaw in Internet Explorer (CVE-2020-17053), an out-of-bounds read in Chakra Scripting Engine (CVE-2020-17048), several RCE bugs in Azure Sphere, Network File System (NFS), Exel, Microsoft Office Access Connectivity Engine (CVE-2020-17062), as well as Microsoft Windows’ Print Spooler, and a number of video and image file extensions [1, 2, 3, 4].