Patched Chrome exploit worked hand-in-hand with critical Windows bug

Google has only seen the vulnerabilities actively exploited on 32-bit Windows 7 machines

Image of generic lines of code to indicate hackers at work

Google has revealed the 'highly severe' Chrome flaw patched last Friday was being actively exploited in conjunction with a Windows 7 vulnerability that has still not been fixed.

The first flaw, found in Chrome and dubbed CVE-2019-5786, was a use-after-free memory mismanagement error that was being actively exploited in the wild to pull off remote code execution attacks.

The second zero-day vulnerability, also reported on 27 February, concerned a local privilege escalation in the Windows win32k.sys kernel driver.

Attackers were seen exploiting the two vulnerabilities together, according to Google's Clement Lecigne, to seize control of victims' devices.

"Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft," said Lecigne, a member of Google's threat analysis group.

"Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks."

The Windows flaw, which has not yet been patched, can still be exploited if similar vulnerabilities to that found in Chrome exist in other browsers.

But Google believes this can only be exploited on Windows 7 due to mitigations recently added to newer versions of Microsoft's operating system, and have to date only seen the flaw being exploited on 32-bit Windows 7 installations.

This restricts the scale of the attack to some degree, with Windows 7 bearing a 38.4% share of all users according to the latest figures from Net Marketshare. Factoring in the proportion of Windows 7 users who run 32-bit installations reduces the scope of the attack yet further.

07/03/19: Google fixes 'highly severe' zero-day Chrome exploit

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.

The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.

The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.

Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code.

"According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.

"That's a programming tool that makes it easy for web developers to pop up menus and dialogues asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail."

"When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren't supposed to. Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what's called Remote Code Execution."

This breed of attack means cyber criminals could inject malware onto unsuspecting users' machines without any warning, or seize full control of a device.

The vulnerability was discovered by Clement Lecigne of Google's threat analysis group on 27 February. Google's technical program manager Abdul Syed said that the company has become aware of active exploits in the wild, but provided no further information as to the nature of these or who had been targeted.

Google initially released the fix on Friday 1 March, but updated its original announcement to provide further details around the flaw.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021