News

Google Issues Update for Zero-Day Flaw, But 32-Bit Windows 7 Systems Still Subject to Attack

Google on Thursday described two "zero-day" vulnerabilities affecting both the Google Chrome browser and Windows 7 systems that are being actively used in targeted attacks.

A zero-day vulnerability is a software flaw that's known by attackers before the software vendor, according to a useful summary in this Sophos security blog post. With regard to the Chrome vulnerability, labeled "CVE-2019-5786," Google pushed out a software "update for all Chrome platforms on March 1." Users with the browser's automatic updating service turned on will get the update to protect the browser. The aim is for all Chrome browsers to be at version 72.0.3626.121 or greater to gain protections against this exploit.

It's possible to cause the Chrome browser to seek the latest updates by going to "Help" and selecting "About Google Chrome."

On the Windows 7 vulnerability side, Google described a "local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape." Exploits have only been seen in 32-bit Windows 7 systems, Google indicated.

Google suggested that newer Windows systems could have exploit mitigations in place that aren't present in Windows 7, and recommended upgrades to Windows 10 as a security measure.

Google indicated that it had notified Microsoft about the Windows 7 vulnerability, which was done according to Google's vulnerability disclosure policy. If so, it would seem to imply that Google gave Microsoft a 90-day advance notice about the vulnerability.

Initially, Windows 7 had been left out of the picture. Google's March 1 update notice had just described a FileReader issue in Chrome without providing much information. However, in a March 5 Tweet, Justin Schuh, a lead Google Chrome security researcher, had urged Chrome users to ensure their browsers were updated to the latest version. He later explained in a series of Tweets that it was necessary for Google to send out an alert broadly because a browser refresh is needed to update Chrome and apply the security protections.

Microsoft apparently had not published an advisory on the Windows 7 security vulnerability as of press time. However, when asked about Google's announcements and the alleged Windows 7 vulnerability, a Microsoft spokesperson confirmed the problem and offered the following information:

  • Modern versions of Windows are not affected by the described issue, which is limited to the supported 32-bit versions of Windows 7 and below.
  • Upgrading to a modern operating system that incorporates the latest defense-in-depth protections would provide multiple benefits in addition to mitigating this issue.

Microsoft also offered the following statement, which was attributed to Jeff Jones, senior director at Microsoft.

"Microsoft has a customer commitment to investigate reported security issues and proactively update as soon as possible."

There was no indication from Microsoft if any measures could be taken to address the vulnerability short of upgrading Windows 7 32-bit systems. For instance, it's not clear if upgrading the Chrome browser on Windows 7 32-bit systems might serve as a mitigating factor until a patch arrives. When asked about that possibility, the spokesperson said Microsoft had "nothing further to share on the matter."

Windows 7 Service Pack 1 is a supported product until Jan. 14, 2020, meaning that it still gets security patches.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.