Google says Chrome on Windows combo zero-day exploited in the wild

Google is warning that two zero-day flaws are being actively exploited in attacks against its Chrome web browser running on Microsoft's Windows operating system, and advises users to update their installations as soon as possible.

Chrome security lead Justin Schuh said the current chained exploits differ from past attacks as they target the web browser code directly, and not plugins.

This meant that unless users manually restart their browsers after updating them, they could still be vulnerable.

Past 0days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention. [2/3]

— Justin Schuh �� (@justinschuh) March 7, 2019

Full details of the Chrome CVE-2019-5786 flaw are still under wraps, but it involves a memory use after it's freed bug in the FileReader application programming interface. 

FileReader allows websites access to local files on computers, and a use-after-free vulnerability could allow attackers to execute arbitrary code on users machines.

The second part of attack chain comprises a local privilege escalation vulnerability in the Windows kernel driver (win32k.sys).

Clement Lecigne of Google's Threat Analysis Group said the vulnerability is a NULL pointer dereference in win32k!MNgetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances.

This can be used by malicious code to escape the security sandbox, but Google strongly believes the vulnerability is only exploitable on the older Windows 7.

To date, Google said it has only seen active exploitation of the flaw against Windows 7 32-bit.

Google has reported the vulnerability to Microsoft which is working on a fix.

To mitigate against the win32k.sys privilege escalation vulnerability, Google suggests users consider upgrading to Windows 10, and apply patches from Microsoft when they become available.