Patched Chrome exploit worked hand-in-hand with critical Windows bug

Google has only seen the vulnerabilities actively exploited on 32-bit Windows 7 machines

Image of generic lines of code to indicate hackers at work

Google has revealed the 'highly severe' Chrome flaw patched last Friday was being actively exploited in conjunction with a Windows 7 vulnerability that has still not been fixed.

The first flaw, found in Chrome and dubbed CVE-2019-5786, was a use-after-free memory mismanagement error that was being actively exploited in the wild to pull off remote code execution attacks.

The second zero-day vulnerability, also reported on 27 February, concerned a local privilege escalation in the Windows win32k.sys kernel driver.

Attackers were seen exploiting the two vulnerabilities together, according to Google's Clement Lecigne, to seize control of victims' devices.

"Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft," said Lecigne, a member of Google's threat analysis group.

"Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks."

The Windows flaw, which has not yet been patched, can still be exploited if similar vulnerabilities to that found in Chrome exist in other browsers.

But Google believes this can only be exploited on Windows 7 due to mitigations recently added to newer versions of Microsoft's operating system, and have to date only seen the flaw being exploited on 32-bit Windows 7 installations.

This restricts the scale of the attack to some degree, with Windows 7 bearing a 38.4% share of all users according to the latest figures from Net Marketshare. Factoring in the proportion of Windows 7 users who run 32-bit installations reduces the scope of the attack yet further.

07/03/19: Google fixes 'highly severe' zero-day Chrome exploit

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.

The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.

The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.

Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code.

"According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.

"That's a programming tool that makes it easy for web developers to pop up menus and dialogues asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail."

"When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren't supposed to. Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what's called Remote Code Execution."

This breed of attack means cyber criminals could inject malware onto unsuspecting users' machines without any warning, or seize full control of a device.

The vulnerability was discovered by Clement Lecigne of Google's threat analysis group on 27 February. Google's technical program manager Abdul Syed said that the company has become aware of active exploits in the wild, but provided no further information as to the nature of these or who had been targeted.

Google initially released the fix on Friday 1 March, but updated its original announcement to provide further details around the flaw.

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021