We now know why a number of Googlers made a point to urge users to implement the latest Chrome update as soon as possible: the vulnerability (CVE-2019-5786) is definitely being actively exploited in conjunction with another zero-day in Windows.
The danger of a Chrome / Windows exploit
The Windows bug is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape, says Google threat analyst Clement Lecigne.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems,” he shared.
Google reported the bug to Microsoft and Microsoft has confirmed that they are working on a fix.
In the meantime, Google decided to publicly disclose its existence as it’s serious, can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes, and is being actively exploited in targeted attacks.
What can users do about it?
Lecigne advised users to consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available.
Engineering Director on Google Chrome Justin Schuh also explained why many Googlers called out this attack more prominently than previous zero-day attacks against Chrome.
“Past 0days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention,” he noted.
“This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action.”
So, if you’re using Chrome, you might want to check whether it has already been automatically upgraded to the latest version (v72.0.3626.121 for both the desktop and mobile versions) and restart your device once the update is implemented.
A security update for Chrome OS that fixes the flaw has also been provided.