Vulnerability Management

Chrome updated to combat an exploited zero day

Google is recommending all Chrome users immediately update their browser in order to fix a zero-day issue that is being exploited in the wild in combination with another vulnerability found in Windows. Together, the two bugs could enable a security sandbox escape.

The Chrome fix was issued on March 1 and patched via an auto-update to version 72.0.3626.121 pushed by Google, but the company is suggesting users make certain the update is completed, and if not, to do so manually.

The Chrome flaw, CVE-2019-5786, is a use-after-free vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer, according to Tenable. The Microsoft issue is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape, said Google’s Clement Lecigne, Threat Analysis Group, in a blog.

“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances. We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems,” Lecigne wrote.

Google has informed Microsoft of the vulnerability, but due to the severity also decided to go public with the news, Lecigne said. Microsoft has not issued a patch as of March 8.

In addition to updating Chrome, Google recommends Microsoft users move from Windows 7 to Windows 10 and then apply the necessary patches when they become available.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds