Google revealed today that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system.
The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27.
The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems.
The company revealed the true severity of these attacks in a blog post today. Google said that Microsoft is working on a fix, but did not give out a timeline.
The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.
Most users who saw the company's release didn't think too much about a run-of-the-mill Chrome update, which Google provides on a regular basis, sometimes for the smallest of bugs.
However, out of nowhere this week, on Tuesday, March 5, Google revealed that the Chrome security fix was actually a patch for a zero-day that was being exploited in the wild, but again, did not reveal any additional details.
Today's blog post provides these much-needed details, with the company revealing the existence of the Windows 7 zero-day, which attackers were using together with the Chrome zero-day in coordinated attacks.
Lecigne described the Windows 7 zero-day as "a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape."
"The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances," he added.
Google said this zero-day may only be exploitable on Windows 7 due to recent exploit mitigations added in Windows 8 and later.
"To date, we have only observed active exploitation against Windows 7 32-bit systems," Lecigne said.
The security researcher said that Google decided to go public with information about the Windows zero-day because they believe Windows 7 users should be aware of the ongoing attacks and take protective measures, just in case the attackers are using the Windows 7 zero-day in combination with exploits on other browsers.
More vulnerability reports:
- Google reveals Chrome zero-day under active attacks
- New exploit lets attackers take control of Windows IoT Core devices
- Google's Project Zero reveals zero-day macOS vulnerability to the public
- WDS bug lets hackers hijack Windows Servers via malformed TFTP packets
- Adobe releases out-of-band update to patch ColdFusion zero-day
- Cisco tells Nexus switch owners to disable POAP feature for security reasons
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic