Welcome to DU!
    The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
    Join the community:
    Create a free account
    Support DU (and get rid of ads!):
    Become a Star Member
    Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
    All Forums
        Issue Forums
        Culture Forums
        Alliance Forums
        Region Forums
        Support Forums
        Help & Search
    
Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7
Source: Forbes
Mar 9, 2019, 02:41am
Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7
Davey Winder
Contributor
Cybersecurity
I report and analyse breaking cybersecurity and privacy stories
Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.
The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. "The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances" Clement Lecigne said, adding "we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems."
The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. "Not all vulnerabilities are created equal, and many if considered on their own are not cause for undue concern" says Jim O'Gorman, president of Offensive Security, who continues "if they were flagged by the organization's security solution, they likely would not have been prioritized in patching. It's when a group of seemingly minor flaws are chained together that they can be used to devastating effect."
Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7
Davey Winder
Contributor
Cybersecurity
I report and analyse breaking cybersecurity and privacy stories
Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.
The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. "The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances" Clement Lecigne said, adding "we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems."
The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. "Not all vulnerabilities are created equal, and many if considered on their own are not cause for undue concern" says Jim O'Gorman, president of Offensive Security, who continues "if they were flagged by the organization's security solution, they likely would not have been prioritized in patching. It's when a group of seemingly minor flaws are chained together that they can be used to devastating effect."
Read more: https://www.forbes.com/sites/daveywinder/2019/03/09/google-says-upgrade-to-windows-10-after-critical-flaws-found-in-chrome-and-windows-7/
______________________________________________________________________
Also: Google reports zero-day exploit in Windows 7, Microsoft yet to release patch (The Verge)
					
						4 replies
						
							 = new reply since forum marked as read
						
					
     
					
						Highlight:
						NoneDon't highlight anything
						5 newestHighlight 5 most recent replies
  = new reply since forum marked as read
						
					
     
					
						Highlight:
						NoneDon't highlight anything
						5 newestHighlight 5 most recent replies
					
				
				 = new reply since forum marked as read
						
					
     
					
						Highlight:
						NoneDon't highlight anything
						5 newestHighlight 5 most recent replies
  = new reply since forum marked as read
						
					
     
					
						Highlight:
						NoneDon't highlight anything
						5 newestHighlight 5 most recent replies
					
				
						Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7 (Original Post)
						Eugene
						Mar 2019
						OP
					
      
      
      
      
      
      
      
      
ThingsGottaChange
(1,200 posts)1. Google can kiss my arse... nt
        KT2000
(21,774 posts)2. So - if I have Win 7
        but no Chrome, does that mean the threat does not exist?
Eugene
(66,511 posts)3. A Techspot article gives more information.
        The sandbox failure in Chrome was one way to reach the kernel driver.  It may not be the only way in.
FWIW, Microsoft says the kernel bug only affects 32-bit systems.
Techspot: Major Windows 7 zero-day discovered, enables privilege escalation in combination with another Chrome exploit
https://www.techspot.com/news/79089-major-windows-7-zero-day-discovered-enables-privileged.html
 
 

