Millions of PCs still at risk from vulnerability that is being actively exploited by criminals
Google has warned users of a couple serious zero-day vulnerabilities that affects both Windows and Google Chrome users.
Google said it has already rushed out a patch for the flaw affecting Google Chrome, but it warned that Windows 7 users remain vulnerable as Microsoft has yet to fix the bug.
To make matters worse, Google warned that criminals are “actively exploiting” the flaws and it urged people to apply the Chrome fix as soon as possible.
Google explained in a blog posting that it had issued its Chrome update at the start of the month.
“This update was pushed through Chrome auto-update,” wrote Clement Lecigne of Google’s Threat Analysis Group. “We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.”
“The second vulnerability was in Microsoft Windows,” wrote Lecigne. “It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.”
Essentially the flaw is located deep within the OS and affects a function that should stop data from one program interacting with something outside that application.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne added. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”
“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Lecigne wrote.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”
Google said that Microsoft had informed them that it is working on a fix.
Lecigne also advised Windows 7 users to upgrade to Windows 10 to avoid the flaw.
One way to avoid falling victim was to upgrade to Windows 10, said Mr Lecigne.
The flaw is a stark reminder of the risk posed by the continued use of legacy operating systems.
Windows 7 was released back in 2009, and there are still millions of PC still running the OS, in both corporate and personal environments.
Do you know all about security? Try our quiz!