Google Advises Upgrade to Windows 10 to Fix Windows 7 Zero-Day Bug

Posted by & filed under Ειδοποιήσεις.

Google recommends users of Windows 7 to give it up and move to Microsoft’s latest operating system if they want to keep systems safe from a zero-day vulnerability exploited in the wild.

The security bug affects Windows win32k.sys kernel driver and leads to privilege escalation on Windows 7.

Google saw the Windows vulnerability in targeted attacks, chained with a zero-day vulnerability (CVE-2019-5786) in Chrome browser that received a patch on March 1 with the release of version 72.0.3626.121.

Upgrade to Windows 10, Google says

The kernel driver vulnerability could also serve for sandbox escaping when chained with other browser security faults, so Windows users could still be impacted even if they applied correctly the most recent update for Google Chrome.

Exploitation of the vulnerability in the wild targeted Windows 7 systems. Google believes that this is the only version of the OS where it works because the exploit mitigations Microsoft introduced in the newer versions of OS, Windows 10 in particular, would prevent it.

If you still run an older version of Windows, the recommendation is to upgrade to Windows 10 and keep it updated with the newest patches.

“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances,” writes Clement Lecigne, member of Google’s Threat Analysis Group.

Microsoft says they are working on a fix, but until they release it, users of Windows 7 are exposed.

Update Chrome the right way

Although the auto-update feature in Chrome installs the new code, it does not mean that the effects are also enforced.

Justin Schuh, engineering director on Google Chrome for desktop, explains that in the case of plugin components, Chrome can renew them separately and that would be all.

But when the browser code needs to be refreshed, the change takes effect after a restart, done manually in most cases.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.