Google recommends users of Windows 7 to give it up and move to Microsoft’s latest operating system if they want to keep systems safe from a zero-day vulnerability exploited in the wild.
The security bug affects Windows win32k.sys kernel driver and leads to privilege escalation on Windows 7.
Google saw the Windows vulnerability in targeted attacks, chained with a zero-day vulnerability (CVE-2019-5786) in Chrome browser that received a patch on March 1 with the release of version 72.0.3626.121.
Upgrade to Windows 10, Google says
The kernel driver vulnerability could also serve for sandbox escaping when chained with other browser security faults, so Windows users could still be impacted even if they applied correctly the most recent update for Google Chrome.
Exploitation of the vulnerability in the wild targeted Windows 7 systems. Google believes that this is the only version of the OS where it works because the exploit mitigations Microsoft introduced in the newer versions of OS, Windows 10 in particular, would prevent it.
If you still run an older version of Windows, the recommendation is to upgrade to Windows 10 and keep it updated with the newest patches.
“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances,” writes Clement Lecigne, member of Google’s Threat Analysis Group.
Microsoft says they are working on a fix, but until they release it, users of Windows 7 are exposed.
Update Chrome the right way
Although the auto-update feature in Chrome installs the new code, it does not mean that the effects are also enforced.
Justin Schuh, engineering director on Google Chrome for desktop, explains that in the case of plugin components, Chrome can renew them separately and that would be all.
But when the browser code needs to be refreshed, the change takes effect after a restart, done manually in most cases.