Google warns of two yet unknown vulnerabilities in Chrome and Windows 7 that are being actively exploited together. Details remain secret in order to protect users.
Two serious vulnerabilities in Chrome/Chromium and Windows allow attackers to infiltrate a foreign system, gain local elevated privileges and subsequently take control of the devices. The security update for the CVE-2019-5786 vulnerability in Chrome has already been distributed automatically; Microsoft is still working on a fix for Windows.
Check now: Security Update for Chrome
Thanks to an automatic update on March 1, many devices have already been updated to the patched version of Chrome (72.0.3626.101 or higher). Please check the settings of your browser. Updates are usually performed in the background when the browser is closed or reopened. If the update was not applied automatically, click the three-point menu at the top right of your browser, then click Update Google Chrome and then Restart. If you don’t see this option, you already have the latest version installed. Linux users update Chrome using the Package Manager. Check also your smartphones and update the app at the PlayStore or Apple Store if necessary. All applications based on chromium are also likely to be affected.
Google is still holding back details on the serious gap. However, it is a bug in the FileReader API that allows attackers to provoke a memory error and use it to push their own code onto the device and execute it.
Windows: Vulnerability is actively exploited
According to Google’s security blog, anyone who still uses Windows7 is also at risk. The vulnerability allows attackers to use a null pointer in a Windows kernel driver to extend their user rights. In combination with the Chrome vulnerability, it should be possible to break out of the sandbox and take control of the entire system. Google strongly suspects that only Windows 7 is affected and therefore advises its users to update to Windows 10 if possible.
Be sure to enable automatic software updates and restart your devices regularly so that these updates can be installed!
We are looking forward to hearing from you!
IKARUS Security Software GmbH
Phone: +43 (0) 1 58995-0
Fax: +43 (0) 1 58995-100
Sales Hotline: +43 (0) 1 58995-500