Now That the Google-Microsoft War Is Over, Google Is Helping Microsoft Get Some More Windows 10 Users
The last few years saw Microsoft telling Google how its browser was sub-par and Google showing Microsoft how its products were full of security flaws. But since Microsoft waved the white flag and has even announced using Google’s open-source Chromium engine for its Edge browser, the two tech titans appear to be getting along quite nicely.
Google recently discovered a zero-day security vulnerability in Windows operating system, which is being actively exploited in the wild. As a mitigation, the company is advising users to “consider upgrading to Windows 10 if they are still running an older version of Windows.” Last night, Microsoft announced that its latest operating system is now powering over 800 million active devices.
The security bug is being actively exploited in the wild; Google Chrome restart is recommended
Attackers have been using a local privilege escalation exploit in Windows in combination with a security flaw in Chrome. Google issued a fix to its browser making sure that everyone who is running the latest version of Chrome isn’t affected by this security issue.
However, the Pixel maker said that the Windows exploit could still be used against people who are running older versions of Windows as it “strongly” believes “this vulnerability may only be exploitable on Windows 7.”
The security flaw helps attackers to break out of browser sandboxes, which ensure that untrusted code cannot interact with sensitive parts of the operating system. Google informed Microsoft about these bugs and the company is reportedly working on a fix.
It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Clement Lecigne of Google’s Threat Analysis Group wrote. “Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”
Even for Chrome users, in many cases a restart of the browser is needed to protect against this in-the-wild security bug.
This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]
— Justin Schuh ? (@justinschuh) March 7, 2019
Windows 7 fans who continue to use the operating system will soon be left without any security patches as the OS is reaching end of support deadline in coming January. Microsoft has detailed an add-on support plan for enterprises, which will go on sale in April.
– We will update this space when Microsoft delivers a patch.