Google is recommending all Chrome users immediately update their browser in order to fix a zero-day issue that is being exploited in the wild in combination with another vulnerability found in Windows. Together, the two bugs could enable a security sandbox escape.
The Chrome fix was issued on March 1 and patched via an auto-update to version 72.0.3626.121 pushed by Google, but the company is suggesting users make certain the update is completed, and if not, to do so manually.
The Chrome flaw, CVE-2019-5786, is a use-after-free vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer, according to Tenable. The Microsoft issue is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape, said Google’s Clement Lecigne, Threat Analysis Group, in a blog.
“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances. We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems,” Lecigne wrote.
Google has informed Microsoft of the vulnerability, but due to the severity also decided to go public with the news, Lecigne said. Microsoft has not issued a patch as of March 8.
In addition to updating Chrome, Google recommends Microsoft users move from Windows 7 to Windows 10 and then apply the necessary patches when they become available.