Google Issues Update for Zero-Day Flaw, But 32-Bit Windows 7 Systems Still Subject to Attack
Google on Thursday described two "zero-day" vulnerabilities affecting both the Google Chrome browser and Windows 7 systems that are being actively used in targeted attacks.
A zero-day vulnerability is a software flaw that's known by attackers before the software vendor, according to a useful summary in this Sophos security blog post. With regard to the Chrome vulnerability, labeled "CVE-2019-5786," Google pushed out a software "update for all Chrome platforms on March 1." Users with the browser's automatic updating service turned on will get the update to protect the browser. The aim is for all Chrome browsers to be at version 72.0.3626.121 or greater to gain protections against this exploit.
It's possible to cause the Chrome browser to seek the latest updates by going to "Help" and selecting "About Google Chrome."
On the Windows 7 vulnerability side, Google described a "local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape." Exploits have only been seen in 32-bit Windows 7 systems, Google indicated.
Google suggested that newer Windows systems could have exploit mitigations in place that aren't present in Windows 7, and recommended upgrades to Windows 10 as a security measure.
Google indicated that it had notified Microsoft about the Windows 7 vulnerability, which was done according to Google's vulnerability disclosure policy. If so, it would seem to imply that Google gave Microsoft a 90-day advance notice about the vulnerability.
Initially, Windows 7 had been left out of the picture. Google's March 1 update notice had just described a FileReader issue in Chrome without providing much information. However, in a March 5 Tweet, Justin Schuh, a lead Google Chrome security researcher, had urged Chrome users to ensure their browsers were updated to the latest version. He later explained in a series of Tweets that it was necessary for Google to send out an alert broadly because a browser refresh is needed to update Chrome and apply the security protections.
Microsoft apparently had not published an advisory on the Windows 7 security vulnerability as of press time. However, when asked about Google's announcements and the alleged Windows 7 vulnerability, a Microsoft spokesperson confirmed the problem and offered the following information:
- Modern versions of Windows are not affected by the described issue, which is limited to the supported 32-bit versions of Windows 7 and below.
- Upgrading to a modern operating system that incorporates the latest defense-in-depth protections would provide multiple benefits in addition to mitigating this issue.
Microsoft also offered the following statement, which was attributed to Jeff Jones, senior director at Microsoft.
"Microsoft has a customer commitment to investigate reported security issues and proactively update as soon as possible."
There was no indication from Microsoft if any measures could be taken to address the vulnerability short of upgrading Windows 7 32-bit systems. For instance, it's not clear if upgrading the Chrome browser on Windows 7 32-bit systems might serve as a mitigating factor until a patch arrives. When asked about that possibility, the spokesperson said Microsoft had "nothing further to share on the matter."
Windows 7 Service Pack 1 is a supported product until Jan. 14, 2020, meaning that it still gets security patches.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.