Google’s Threat Analysis group has disclosed two 0-day vulnerabalities affecting Google Chrome and Windows 7 PCs yesterday (via Ars Technica). Google said it has already patched Chrome to remediate the vulnerability on March 1, and it’s recommending users to make sure that they have already updated the web browser to version 72.0.3626.121 or newer.
As for the Windows 7 vulnerability, Google says that it already reported it to Microsoft but had to reveal it yesterday after the end of its to a 90-day disclosure deadline. The Redmond giant is said to already be working on a fix, but according to Google this vulnerability is already being exploited in targeted attacks.
It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.
As Microsoft has yet to announce when it will fix this vulnerability, Google is recommending Windows 7 users to upgrade their PCs to Windows 10. Microsoft announced yesterday that the new OS is now running on 800 million devices worldwide, but 43.93% of Windows users were still using Windows 7 in March according to Netmarketshare.