Patched Chrome exploit worked hand-in-hand with critical Windows bug

Image of generic lines of code to indicate hackers at work

Google has revealed the 'highly severe' Chrome flaw patched last Friday was being actively exploited in conjunction with a Windows 7 vulnerability that has still not been fixed.

The first flaw, found in Chrome and dubbed CVE-2019-5786, was a use-after-free memory mismanagement error that was being actively exploited in the wild to pull off remote code execution attacks.

The second zero-day vulnerability, also reported on 27 February, concerned a local privilege escalation in the Windows win32k.sys kernel driver.

Attackers were seen exploiting the two vulnerabilities together, according to Google's Clement Lecigne, to seize control of victims' devices.

"Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft," said Lecigne, a member of Google's threat analysis group.

"Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks."

The Windows flaw, which has not yet been patched, can still be exploited if similar vulnerabilities to that found in Chrome exist in other browsers.

But Google believes this can only be exploited on Windows 7 due to mitigations recently added to newer versions of Microsoft's operating system, and have to date only seen the flaw being exploited on 32-bit Windows 7 installations.

This restricts the scale of the attack to some degree, with Windows 7 bearing a 38.4% share of all users according to the latest figures from Net Marketshare. Factoring in the proportion of Windows 7 users who run 32-bit installations reduces the scope of the attack yet further.

07/03/19: Google fixes 'highly severe' zero-day Chrome exploit

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.

The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.

The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.

Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code.

"According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.

"That's a programming tool that makes it easy for web developers to pop up menus and dialogues asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail."

"When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren't supposed to. Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what's called Remote Code Execution."

This breed of attack means cyber criminals could inject malware onto unsuspecting users' machines without any warning, or seize full control of a device.

The vulnerability was discovered by Clement Lecigne of Google's threat analysis group on 27 February. Google's technical program manager Abdul Syed said that the company has become aware of active exploits in the wild, but provided no further information as to the nature of these or who had been targeted.

Google initially released the fix on Friday 1 March, but updated its original announcement to provide further details around the flaw.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.