Google: Chrome zero-day was used together with a Windows 7 zero-day


Google revealed today that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system.
Security
The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27.
The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems.
The company revealed the true severity of these attacks in a blog post today. Google said that Microsoft is working on a fix, but did not give out a timeline.
The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.
Most users who saw the company's release didn't think too much about a run-of-the-mill Chrome update, which Google provides on a regular basis, sometimes for the smallest of bugs.
However, out of nowhere this week, on Tuesday, March 5, Google revealed that the Chrome security fix was actually a patch for a zero-day that was being exploited in the wild, but again, did not reveal any additional details.
Today's blog post provides these much-needed details, with the company revealing the existence of the Windows 7 zero-day, which attackers were using together with the Chrome zero-day in coordinated attacks.
Lecigne described the Windows 7 zero-day as "a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape."
"The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances," he added.
Google said this zero-day may only be exploitable on Windows 7 due to recent exploit mitigations added in Windows 8 and later.
"To date, we have only observed active exploitation against Windows 7 32-bit systems," Lecigne said.
The security researcher said that Google decided to go public with information about the Windows zero-day because they believe Windows 7 users should be aware of the ongoing attacks and take protective measures, just in case the attackers are using the Windows 7 zero-day in combination with exploits on other browsers.
This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]
— Justin Schuh 🗑 (@justinschuh) March 7, 2019
All the Chromium-based browsers
More vulnerability reports:
- Google reveals Chrome zero-day under active attacks
- New exploit lets attackers take control of Windows IoT Core devices
- Google's Project Zero reveals zero-day macOS vulnerability to the public
- WDS bug lets hackers hijack Windows Servers via malformed TFTP packets
- Adobe releases out-of-band update to patch ColdFusion zero-day
- Cisco tells Nexus switch owners to disable POAP feature for security reasons
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic