Chrome zero day being used to attack Windows

News by Doug Olenick

Google is recommending all Chrome users immediately update their browser to fix a zero-day issue that is being exploited in the wild in combination with another vulnerability found in Windows. Together, the two bugs could enable a security sandbox escape.

Google is recommending all Chrome users immediately update their browser to fix a zero-day issue that is being exploited in the wild in combination with another vulnerability found in Windows. Together, the two bugs could enable a security sandbox escape.

The Chrome fix was issued on 1 March and patched via an auto-update to version 72.0.3626.121 pushed by Google, but the company is suggesting users make certain the update is completed, and if not, to do so manually.

The Chrome flaw, CVE-2019-5786, is a use-after-free vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer, according to Tenable. The Microsoft issue is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape, said Google’s Clement Lecigne, Threat Analysis Group, in a blog.

"The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances. We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems," Lecigne wrote.

Google has informed Microsoft of the vulnerability, but due to the severity also decided to go public with the news, Lecigne said. Microsoft has not issued a patch as of 8 March.

In addition to updating Chrome, Google recommends Microsoft users move from Windows 7 to Windows 10 and then apply the necessary patches when they become available.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event