A pair of linked critical vulnerabilities have been announced by Google and are being actively exploited by attackers. These vulnerabilities exist in the Google Chrome FileReader and the Windows 7 win32k.sys kernel driver. By exploiting these vulnerabilities, attackers can gain control over a victim system.
Alert Logic® customers may be impacted by this threat if you:
- Run any version of Windows 7, AND
- Run a vulnerable version of the Google Chrome internet browser (versions prior to 72.0.3626.121).
For this threat, two vulnerabilities must be exploited together:
- A Null Pointer Dereference vulnerability in Microsoft Windows 7. This vulnerability in the Windows win32k.sys kernel driver can be used as a security sandbox escape, effectively creating a local privilege escalation. The null pointer Dereference is triggered in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
- A Use-after-free vulnerability in Google Chrome FileReader (CVE-2019-5786). Google has stated that technical details are being restricted to avoid the possibility of further exploitation attempts.
Alert Logic Coverage
Vulnerability scan coverage is available as of March 11, 2019, to identify vulnerable Chrome installations through authenticated scanning.
Recommendations for Mitigation
Update Chrome to version 72.0.3626.121 or later to obtain the security fix. More information about this fix is available from Google’s Chrome Releases.
A Microsoft patch is reportedly in development. When a Microsoft patch becomes available, this article will be updated with the patch information. See the Updates section below on how to follow this article to receive notifications about new information. Current recommendations from Google are to update to Windows 10.
This section will be updated with new information about these Chrome and Windows vulnerabilities and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.