Written by Sean Lyngaas
Researchers at Google have found previously unkown vulnerabilities – one in Google Chrome and the other in Microsoft Windows – that they say attackers have been exploiting in tandem.
Both zero-day vulnerabilities could allow hackers to escape the “sandboxes” that software programs use as safeguards against malicious activity.
The vulnerability in Chrome, the web’s most popular browser, affects Chrome’s FileReader API, and could allow an attacker to carry out remote code execution. The Windows vulnerability, which Google researchers had been exploited on Windows 7, could give a hacker the ability to escalate privileges on a certain Windows kernel driver, letting the attacker break out of a security sandbox.
Google has released a patch for the Chrome vulnerability, while Microsoft is still working on its own, according to Clement Lecigne, a researcher with Google’s Threat Analysis Group.
“The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes,” Lecigne wrote in a blog post Thursday.
Users should upgrade to the latest versions of Chrome. For those with older versions of Windows, consider installing Windows 10, Lecigne said.
Justin Schuh, who leads Chrome’s security team, said the exploit is different from others in that it targets Chrome code directly, requiring users to restart the browser after patching.
This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]
— Justin Schuh 🗑 (@justinschuh) March 7, 2019