Google has warned Windows 7 users of a zero-day vulnerability, actively exploited alongside a flaw in the company's own Chrome browser, and has advised users to consider upgrading to Windows 10 sooner rather than later.
Earlier this week Google confirmed that a patch released for its popular Chrome browser contained a fix for a serious security flaw under active exploitation in the wild. Using this flaw, malicious websites could execute arbitrary code - and attackers began doing just that prior to the development and release of the patch.
While the Chrome vulnerability has now been resolved as of version 72.0.3626.121, Google has advised that the same attackers were using the Chrome vulnerability to exploit a separate vulnerability in Microsoft's Windows operating system. 'It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape,' explains Clement Lecigne, of Google's Threat Analysis Group. 'The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.'
Mitigations for this vulnerability exist, but only for Windows 8.1 and newer. 'We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,' Lecigne continues. 'To date, we have only observed active exploitation against Windows 7 32-bit systems.'
With no word from Microsoft as to when a patch for the vulnerability may become available, and with the flaw under active attack, Lecigne has some advice for Windows 7 users: 'As mitigation advice for this vulnerability,' Lecigne writes, 'users should consider upgrading to Windows 10 if they are still running an older version of Windows.'
More details are available on the official blog post.
March 25 2020 | 14:00