Patched Chrome exploit worked hand-in-hand with critical Windows bug

Google has only seen the vulnerabilities actively exploited on 32-bit Windows 7 machines

Image of generic lines of code to indicate hackers at work

Google has revealed the 'highly severe' Chrome flaw patched last Friday was being actively exploited in conjunction with a Windows 7 vulnerability that has still not been fixed.

The first flaw, found in Chrome and dubbed CVE-2019-5786, was a use-after-free memory mismanagement error that was being actively exploited in the wild to pull off remote code execution attacks.

Advertisement - Article continues below

The second zero-day vulnerability, also reported on 27 February, concerned a local privilege escalation in the Windows win32k.sys kernel driver.

Attackers were seen exploiting the two vulnerabilities together, according to Google's Clement Lecigne, to seize control of victims' devices.

"Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft," said Lecigne, a member of Google's threat analysis group.

"Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks."

The Windows flaw, which has not yet been patched, can still be exploited if similar vulnerabilities to that found in Chrome exist in other browsers.

But Google believes this can only be exploited on Windows 7 due to mitigations recently added to newer versions of Microsoft's operating system, and have to date only seen the flaw being exploited on 32-bit Windows 7 installations.

Advertisement - Article continues below
Advertisement - Article continues below

This restricts the scale of the attack to some degree, with Windows 7 bearing a 38.4% share of all users according to the latest figures from Net Marketshare. Factoring in the proportion of Windows 7 users who run 32-bit installations reduces the scope of the attack yet further.

07/03/19: Google fixes 'highly severe' zero-day Chrome exploit

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.

The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.

The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.

Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code.

Advertisement - Article continues below

"According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.

"That's a programming tool that makes it easy for web developers to pop up menus and dialogues asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail."

"When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren't supposed to. Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what's called Remote Code Execution."

This breed of attack means cyber criminals could inject malware onto unsuspecting users' machines without any warning, or seize full control of a device.

The vulnerability was discovered by Clement Lecigne of Google's threat analysis group on 27 February. Google's technical program manager Abdul Syed said that the company has become aware of active exploits in the wild, but provided no further information as to the nature of these or who had been targeted.

Google initially released the fix on Friday 1 March, but updated its original announcement to provide further details around the flaw.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020