According to Google Project Zero, there is a critical flaw in the Windows kernel that hackers can easily exploit.
The Google Project Zero team has once again discovered a critical flaw in Windows. The vulnerability affects many users; this time it is a security issue affecting the kernel. The vulnerability, in combination with a flaw in the Chrome browser, allows an attack against the operating system and allows an attacker to take control of the operating system.
Normally, bugs discovered by Google’s Project Zero experts are not published for 90 days, to give the developers concerned – in this case, Microsoft – enough time to fix them. However, the situation is different now in that Google has evidence that the bug is already being actively exploited by fraudsters, so the disclosure was made before the 90-day deadline. Partly because of this, Microsoft is still a long way from fixing the bug. However, Google itself has already fixed the problem, so that at least the kernel attack cannot be carried out through the Chrome browser.
The flaw is in the cng.sys file, the module responsible for encryption, which has been part of the system since Windows 7, so not only Windows 10 but also Windows 8/8.1 and Windows 7 are affected. The vulnerability allows attackers to cause a buffer overflow, which can lead to a system crash in the best-case scenario, or in the worst-case scenario, it can be used to give the rogue PC extra privileges and take control of the system. Microsoft has not yet said when the patch might be available.