Severe vulnerability discovered on Windows 7 and exploited through Chrome
A combination of two vulnerabilities on older versions of Windows and Chrome would have allowed unidentified attackers to perform an exploit to attack third-party computers.
Some Google security experts have reported that it is necessary to switch to the latest version of Windows and Chrome to protect themselves from a ” serious security vulnerability ” that cybercriminals have already actively used.
Unidentified attackers have made an exploit that uses an escalation of privileges possible on Windows and a vulnerability that was present on Chrome until last Friday, now correct. The combination is no longer effective if you use the latest version of Chrome, but the exploit on Windows remains for those who do not use an outdated version of the OS.
Google researchers already reported the exploit to Microsoft and, according to the internal rules of the team, now they have publicly disclosed it.
” The not yet corrected Windows vulnerability could be used to scale privileges or combined with another browser vulnerability in use to evade security sandboxes, ” Google’s Clement Lecigne wrote, specifying that Microsoft is currently working on patch. The vulnerability is present on the win32k.sys kernel driver and offers the attacker the possibility of violating the security sandboxes that browsers use to prevent ” untrusted ” code from interacting with sensitive parts of the OS.
The attackers exploited the vulnerability with Chrome along with a bug that was present on Google’s browser within the FileReader component. The exploit is present according to Google only on Windows 7 ” considering the new mitigations on the aggressions presented on the most-recent versions “.
Google has also informed that ” active assaults against only Windows 7 32-bit systems have been observed “. For its part, Microsoft has stated that it is committed to ensuring maximum security with users, and that it will release an ” as soon as available ” update.
To work around this problem, if you use Chrome, it’s still sufficient to install the version released last week and restart the browser. However, the exploit could also be used with other browsers if a bug similar to the one discovered on Chrome was detected.