Google security officials are advising Windows users to ensure they’re using the latest version 10 of the Microsoft operating system to protect themselves against a “serious,” unpatched vulnerability that attackers have been actively exploiting in the wild.
Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks,” Clement Lecigne, a member of Google’s Threat Analysis Group, wrote in a blog post published Thursday. “The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.”
The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome’s FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne wrote. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”
Microsoft representatives declined to say when the flaw would be fixed or say if company officials planned to provide a public advisory. “Microsoft has a customer commitment to investigate reported security issues and proactively update as soon as possible,” Microsoft Senior Director Jeff Jones wrote in a statement sent by the company’s outside public relations firm.
While Chrome users have had a patch available for six days to protect themselves against the in-the-wild attacks, the fix in many cases requires a browser restart before taking effect. That’s a departure from many Chrome patches, which work as soon as they’re installed. In a series of tweets, Leading Chrome Security and Desktop Engineer Justin Schuh said that previous zeroday Chrome exploits targeted Flash components that could be updated without any user intervention.
“This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded,” Schuh wrote. “For most users, the update download is automatic, but restart is a usually a manual action.”
This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]
— Justin Schuh ? (@justinschuh) March 7, 2019
As sandboxes and other security mitigations have become increasingly effective at preventing drive-by exploits, the value of privilege escalation vulnerabilities have grown. There are no reports that the unpatched Windows vulnerability is being used in combination with other vulnerabilities, but given its effectiveness, it wouldn’t be surprising if that were to happen. Google’s Lecigne advised Windows users to upgrade to version 10.