Google's Project Zero is well-known for finding vulnerabilities and exploits in Microsoft's operating system, as well as for its controversial disclosure policies. This week, the company's cybersecurity research wing has once again revealed an exploit in one of Microsoft's products. However, making things more urgent this time around is the fact that the vulnerability is currently being exploited along with another zero-day vulnerability in the Chrome browser.
The search giant has already patched the vulnerability in its browser (CVE-2019-5786) via an update it pushed out last Friday, and is asking users to ensure that their Chrome installation is on version 72.0.3626.121 or higher.
Past 0days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention. [2/3]— Justin Schuh 🗑 (@justinschuh) March 7, 2019
Unlike previous zero-day exploits, though, this one is more dangerous, as Chrome security lead Justin Schuh explains. While previous exploits used Flash as their first target of attack, this exploit directly targets Chrome code. This means that while the company could silently patch the problem and push it out without much intervention required on the users' part, the fix for this exploit requires the browser to be restarted. This is, of course, a manual action and requires the user to be proactive and update their browser, lest they remain vulnerable to attack.
The second exploit, which is found in Microsoft's operating system, has to do with the win32k.sys kernel, and is an escalation of privilege attack. According to Google, the vulnerability most likely only works with Windows 7, due to Microsoft's work on strengthening security in newer versions of Windows; Project Zero researchers were only able to implement the exploit in 32-bit versions of Windows 7.
Microsoft has been informed of the vulnerability - which is actively being exploited according to Google - and the company is working on making mitigations available, however none have been rolled out to Windows 7 users yet. Till such a time as they are available, Google recommends users update their OS to Windows 10 in order to inoculate against the exploit.