Google Issues Update for Zero-Day Flaw, But 32-Bit Windows 7 Systems Still Subject to Attack

Google on Thursday described two "zero-day" vulnerabilities affecting both the Google Chrome browser and Windows 7 systems that are being actively used in targeted attacks.

A zero-day vulnerability is a software flaw that's known by attackers before the software vendor, according to a useful summary in this Sophos security blog post. With regard to the Chrome vulnerability, labeled "CVE-2019-5786," Google pushed out a software "update for all Chrome platforms on March 1." Users with the browser's automatic updating service turned on will get the update to protect the browser. The aim is for all Chrome browsers to be at version 72.0.3626.121 or greater to gain protections against this exploit.

It's possible to cause the Chrome browser to seek the latest updates by going to "Help" and selecting "About Google Chrome."

On the Windows 7 vulnerability side, Google described a "local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape." Exploits have only been seen in 32-bit Windows 7 systems, Google indicated.

Google suggested that newer Windows systems could have exploit mitigations in place that aren't present in Windows 7, and recommended upgrades to Windows 10 as a security measure.

Google indicated that it had notified Microsoft about the Windows 7 vulnerability, which was done according to Google's vulnerability disclosure policy. If so, it would seem to imply that Google gave Microsoft a 90-day advance notice about the vulnerability.

Initially, Windows 7 had been left out of the picture. Google's March 1 update notice had just described a FileReader issue in Chrome without providing much information. However, in a March 5 Tweet, Justin Schuh, a lead Google Chrome security researcher, had urged Chrome users to ensure their browsers were updated to the latest version. He later explained in a series of Tweets that it was necessary for Google to send out an alert broadly because a browser refresh is needed to update Chrome and apply the security protections.

Microsoft apparently had not published an advisory on the Windows 7 security vulnerability as of press time. However, when asked about Google's announcements and the alleged Windows 7 vulnerability, a Microsoft spokesperson confirmed the problem and offered the following information:

  • Modern versions of Windows are not affected by the described issue, which is limited to the supported 32-bit versions of Windows 7 and below.
  • Upgrading to a modern operating system that incorporates the latest defense-in-depth protections would provide multiple benefits in addition to mitigating this issue.

Microsoft also offered the following statement, which was attributed to Jeff Jones, senior director at Microsoft.

"Microsoft has a customer commitment to investigate reported security issues and proactively update as soon as possible."

There was no indication from Microsoft if any measures could be taken to address the vulnerability short of upgrading Windows 7 32-bit systems. For instance, it's not clear if upgrading the Chrome browser on Windows 7 32-bit systems might serve as a mitigating factor until a patch arrives. When asked about that possibility, the spokesperson said Microsoft had "nothing further to share on the matter."

Windows 7 Service Pack 1 is a supported product until Jan. 14, 2020, meaning that it still gets security patches.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus