Google has warned users of a couple serious zero-day vulnerabilities that affects both Windows and Google Chrome users.
Google said it has already rushed out a patch for the flaw affecting Google Chrome, but it warned that Windows 7 users remain vulnerable as Microsoft has yet to fix the bug.
To make matters worse, Google warned that criminals are “actively exploiting” the flaws and it urged people to apply the Chrome fix as soon as possible.
Google explained in a blog posting that it had issued its Chrome update at the start of the month.
“This update was pushed through Chrome auto-update,” wrote Clement Lecigne of Google’s Threat Analysis Group. “We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.”
“The second vulnerability was in Microsoft Windows,” wrote Lecigne. “It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.”
Essentially the flaw is located deep within the OS and affects a function that should stop data from one program interacting with something outside that application.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne added. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”
“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Lecigne wrote.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”
Google said that Microsoft had informed them that it is working on a fix.
Lecigne also advised Windows 7 users to upgrade to Windows 10 to avoid the flaw.
One way to avoid falling victim was to upgrade to Windows 10, said Mr Lecigne.
The flaw is a stark reminder of the risk posed by the continued use of legacy operating systems.
Windows 7 was released back in 2009, and there are still millions of PC still running the OS, in both corporate and personal environments.
Microsoft ditched support for even older operating systems years ago. Support for Windows Vista ended in 2017 for example.
Do you know all about security? Try our quiz!
Troubled chip giant Intel will invest more than $28 billion to construct two new chip…
In Q3 Apple rejoins ranks of top five smartphone makers in China, as government welcomes…
IT spending growth in 2025 comes as CIOs move from proof-of-concept, and begin investment into…
Industry supply chain analyst says Apple cut orders for the iPhone 16 for Q4 2024…
Heavy fine for LinkedIn, after Irish data protection watchdog cites GDPR violations with people's personal…
UK competition regulator begins phase one investigation into Alphabet's partnership with AI startup Anthropic