Windows 7 Users At Risk From ‘Serious Bug’, Google Warns

Google has warned users of a couple serious zero-day vulnerabilities that affects both Windows and Google Chrome users.

Google said it has already rushed out a patch for the flaw affecting Google Chrome, but it warned that Windows 7 users remain vulnerable as Microsoft has yet to fix the bug.

To make matters worse, Google warned that criminals are “actively exploiting” the flaws and it urged people to apply the Chrome fix as soon as possible.

Windows flaw

Google explained in a blog posting that it had issued its Chrome update at the start of the month.

“This update was pushed through Chrome auto-update,” wrote Clement Lecigne of Google’s Threat Analysis Group. “We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.”

“The second vulnerability was in Microsoft Windows,” wrote Lecigne. “It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.”

Essentially the flaw is located deep within the OS and affects a function that should stop data from one program interacting with something outside that application.

“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne added. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”

“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Lecigne wrote.

“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”

Google said that Microsoft had informed them that it is working on a fix.

Lecigne also advised Windows 7 users to upgrade to Windows 10 to avoid the flaw.

One way to avoid falling victim was to upgrade to Windows 10, said Mr Lecigne.

Legacy OS

The flaw is a stark reminder of the risk posed by the continued use of legacy operating systems.

Windows 7 was released back in 2009, and there are still millions of PC still running the OS, in both corporate and personal environments.

Microsoft ditched support for even older operating systems years ago. Support for Windows Vista ended in 2017 for example.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Meta Building Fastest AI Supercomputer In The World

Facebook building the world’s fastest AI supercomputer to help detect and moderate offensive posts and…

2 hours ago

Nvidia Preparing To Abandon $40bn ARM Acquisition – Report

Facing many regulatory probes and lawsuits, Nvidia tells its partners it is preparing to abandon…

4 hours ago

Vodafone To Switch Off 3G Network Next Year

Mobile operators press ahead with early retirement of old networks, as Vodafone sets 2023 deadline…

5 hours ago

Online Safety Bill Is A ‘Missed Opportunity,’ MPs Warn

DCMS committee says draft version of landmark online safety bill is not robust or clear…

7 hours ago

Julian Assange Wins Right To Ask Supreme Court For Extradition Appeal

Another twist. Julian Assange wins right to ask UK's Supreme Court if it will hear…

7 hours ago

ICO Disagrees With Government-Backed Encryption Campaign

UK data protection watchdog, the ICO, says encryption provides protections for children, after government-backed campaign…

8 hours ago