Patched Chrome exploit worked hand-in-hand with critical Windows bug

Google has only seen the vulnerabilities actively exploited on 32-bit Windows 7 machines

Image of generic lines of code to indicate hackers at work

Google has revealed the 'highly severe' Chrome flaw patched last Friday was being actively exploited in conjunction with a Windows 7 vulnerability that has still not been fixed.

The first flaw, found in Chrome and dubbed CVE-2019-5786, was a use-after-free memory mismanagement error that was being actively exploited in the wild to pull off remote code execution attacks.

The second zero-day vulnerability, also reported on 27 February, concerned a local privilege escalation in the Windows win32k.sys kernel driver.

Attackers were seen exploiting the two vulnerabilities together, according to Google's Clement Lecigne, to seize control of victims' devices.

Advertisement - Article continues below
Advertisement - Article continues below

"Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft," said Lecigne, a member of Google's threat analysis group.

"Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks."

The Windows flaw, which has not yet been patched, can still be exploited if similar vulnerabilities to that found in Chrome exist in other browsers.

But Google believes this can only be exploited on Windows 7 due to mitigations recently added to newer versions of Microsoft's operating system, and have to date only seen the flaw being exploited on 32-bit Windows 7 installations.

This restricts the scale of the attack to some degree, with Windows 7 bearing a 38.4% share of all users according to the latest figures from Net Marketshare. Factoring in the proportion of Windows 7 users who run 32-bit installations reduces the scope of the attack yet further.

07/03/19: Google fixes 'highly severe' zero-day Chrome exploit

Advertisement - Article continues below

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.

The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.

The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.

Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code.

Advertisement - Article continues below

"According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.

"That's a programming tool that makes it easy for web developers to pop up menus and dialogues asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail."

Advertisement - Article continues below

"When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren't supposed to. Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what's called Remote Code Execution."

This breed of attack means cyber criminals could inject malware onto unsuspecting users' machines without any warning, or seize full control of a device.

The vulnerability was discovered by Clement Lecigne of Google's threat analysis group on 27 February. Google's technical program manager Abdul Syed said that the company has become aware of active exploits in the wild, but provided no further information as to the nature of these or who had been targeted.

Google initially released the fix on Friday 1 March, but updated its original announcement to provide further details around the flaw.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020