The last few years saw Microsoft telling Google how its browser was sub-par and Google showing Microsoft how its products were full of security flaws. But since Microsoft waved the white flag and has even announced using Google’s open-source Chromium engine for its Edge browser, the two tech titans appear to be getting along quite nicely.
Google has discovered a zero-day security vulnerability in Windows operating system and is suggesting users to “consider upgrading to Windows 10 if they are still running an older version of Windows.”
The security bug is being actively exploited in the wild – Google Chrome restart is recommended
Attackers have been using a local privilege escalation exploit in Windows in combination with a security flaw in Chrome. Google issued a fix to its browser making sure that everyone who is running the latest version of Chrome isn’t affected to this security issue.
However, the Pixel maker said that the Windows exploit could still be used against people who running older versions of Windows as it “strongly” believes “this vulnerability may only be exploitable on Windows 7.”
It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
The security flaw helps attackers to break out of browser sandboxes, which ensure that untrusted code cannot interact with sensitive parts of the operating system. Google informed Microsoft about these bugs and the company is reportedly working on a fix.
“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Clement Lecigne of Google’s Threat Analysis Group wrote. “Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”
Even for Chrome users, in many cases a restart of the browser is needed to protect against this in-the-wild security bug.
This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]
— Justin Schuh ? (@justinschuh) March 7, 2019
– We will update this space when Microsoft delivers a patch.
The post Now That the Google-Microsoft War Is Over, Google Is Helping Microsoft Get Some More Windows 10 Users by Rafia Shaikh appeared first on Wccftech.
Refference- https://wccftech.com
0 Comments