Google: Chrome zero-day was used together with a Windows 7 zero-day

Google reveals Windows 7 zero-day. Microsoft is working on a fix.

Windows 7

Image: Microsoft

Google revealed today that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system.

The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27.

The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems.

The company revealed the true severity of these attacks in a blog post today. Google said that Microsoft is working on a fix, but did not give out a timeline.

The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.

Most users who saw the company's release didn't think too much about a run-of-the-mill Chrome update, which Google provides on a regular basis, sometimes for the smallest of bugs.

However, out of nowhere this week, on Tuesday, March 5, Google revealed that the Chrome security fix was actually a patch for a zero-day that was being exploited in the wild, but again, did not reveal any additional details.

Today's blog post provides these much-needed details, with the company revealing the existence of the Windows 7 zero-day, which attackers were using together with the Chrome zero-day in coordinated attacks.

Lecigne described the Windows 7 zero-day as "a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape."

"The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances," he added.

Google said this zero-day may only be exploitable on Windows 7 due to recent exploit mitigations added in Windows 8 and later.

"To date, we have only observed active exploitation against Windows 7 32-bit systems," Lecigne said.

The security researcher said that Google decided to go public with information about the Windows zero-day because they believe Windows 7 users should be aware of the ongoing attacks and take protective measures, just in case the attackers are using the Windows 7 zero-day in combination with exploits on other browsers.

More vulnerability reports: