Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.
In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.
CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.