Earlier this week, Google detailed a Chrome zero-day exploit after releasing patches for the Mac, Windows, Linux, and Android browsers, as well as Chrome OS. Today, the company is officially disclosing it, along with another zero-day that it discovered.
Google’s Threat Analysis Group reported two zero-day vulnerabilities on Wednesday, February 27th. The first affects Chrome on all platforms, with Google releasing a patch last Friday for desktops and Android. Chrome OS was patched this Tuesday, with Google advising users today to verify (Settings > Help > About Google Chrome) that version 72.0.3626.121 or later has been installed.
Chrome’s auto-update system downloads in the background and installs the next time the browser is launched. Google will also push users from the top-right corner of the browser to manually install by restarting. The issue is related to the FileReader API and at worse allows for remote code execution.
Meanwhile, the second zero-day is related to Windows, though Google “strongly believe this vulnerability may only be exploitable on Windows 7.” The Chrome and Windows vulnerabilities “were being exploited together.”
It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
This problem was reported to Microsoft last week, but Google is today disclosing it publicly per its strict one-week policy for zero-days. The OS vendor is working on a fix, with Google advising users to update to Windows 10 where the attack has been mitigated by recent measures.
The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.