Security researchers at Google have disclosed zero-day vulnerabilities that impact Chrome and Windows 7 OS. Google has provided a patch for Chrome, but no update was available for Windows 7 at the time of the disclosure.
Clement Lecigne of Google’s Threat Analysis Group said his team reported two 0-day vulnerabilities back on February 27th. One of those impacted Google Chrome and the other for Microsoft Windows 7. Both of the bugs were being exploited by attackers together.
Google fixed the vulnerability (CVE-2019-5786) with the latest Chrome update on March 1. Users should double-check to make sure the auto-update has upgraded their system to Chrome 72.0.3626.121 or later.
Lecigne also described the other 0-day threat as a local privilege escalation vulnerability in the Windows win32k.sys kernel driver that could be exploited by an actor as a security sandbox escape.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems,” Lecigne said in the blog post on Thursday.
Google reported the vulnerability previously to Microsoft shortly after it was discovered, but has just released to the public due to the serious nature of the threat. Microsoft is working on a fix in the mean time.
Users are also encouraged to upgrade their older operating systems to Windows 10.