Google security officials are advising Windows users to ensure they’re using the latest version 10 of the Microsoft operating system to protect themselves against a “serious” unpatched vulnerability that attackers have been actively exploiting in the wild.
Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday. While that specific exploit combination won’t be effective against Chrome users who are running the latest browser version, the Windows exploit could still be used against people running older versions of Windows. Google researchers privately reported the vulnerability to Microsoft, in keeping with its vulnerability disclosure policy.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks,” Clement Lecigne, a member of Google’s Threat Analysis Group, wrote in a blog post published Thursday. “The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.”
The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome’s FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances.