Google has revealed information concerning a previously unknown security flaw within Windows that is currently being leveraged by malicious actors. Consequently, Google provided Microsoft with a seven-day timeframe to address this vulnerability. This period has now passed, and Google released the specifics of the flaw earlier today.

The vulnerability currently lacks a formal name but is identified as CVE-2020-17087, and it impacts Windows 7 and Windows 10, among other versions.

Google’s Project Zero, a highly skilled team dedicated to identifying security weaknesses, discovered the issue. They report that the bug enables an attacker to gain elevated privileges within the Windows operating system. These attackers are exploiting the Windows vulnerability in combination with a separate flaw in Chrome, which Google previously disclosed and resolved last week. This additional bug permits an attacker to bypass Chrome’s security sandbox – typically a segregated environment – and execute malicious software on the underlying operating system.

Ben Hawkes, the technical lead for Project Zero, announced via Twitter that Microsoft intends to release a patch on November 10.

Microsoft did not directly verify this date when questioned, but released a statement affirming: “Microsoft is dedicated to investigating reported security concerns and providing updates to affected devices to safeguard our customers. While we strive to meet the disclosure timelines set by researchers, even those with short deadlines as in this instance, creating a security update requires a careful balance between speed and quality, with our primary focus being to deliver maximum customer protection while minimizing disruption.”

However, the identity of the attackers and their objectives remain uncertain. Shane Huntley, Google’s director of threat intelligence, stated that the attacks appear to be “targeted” and are not connected to the U.S. election process.

A representative from Microsoft also indicated that the reported attack is “highly focused and limited in scope, and we have not observed any indications of widespread exploitation.”

This represents the latest in a series of significant vulnerabilities impacting Windows this year. Microsoft acknowledged in January that the National Security Agency assisted in uncovering a cryptographic flaw in Windows 10, although there was no evidence of active exploitation at that time. Furthermore, in June and September, the Department of Homeland Security issued warnings regarding two “critical” Windows bugs – one with the potential for internet-wide propagation, and the other capable of granting complete control over an entire Windows network.

Updated with comment from Microsoft.