Google has advised Windows 7 users to upgrade to Windows 10 following the discovery of a zero-day privilege escalation flaw.
Unidentified hackers are “actively exploiting” the vulnerability by combining it with a separate security flaw in the Chrome browser that Google fixed on March 1st.
That specific combination may not affect users using the latest browser version, but the Windows exploit could still be used against people running the older versions of Windows.
“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks,” Clement Lecigne, a member of Google’s threat analysis group, said in a blog post last Thursday (March.7th).
“The unpatched Windows vulnerability can still be used to elevate privileges or, combined with another browser vulnerability, to evade security sandboxes. Microsoft has told us they are working on a fix.”
According to Google, the flaw resides in the Windows win32k.sys kernel driver and can be used as a security sandbox escape.
“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems,” Lecigne said.
Microsoft, he added, is currently working on a patch to fix the flaw in Windows 7.
News of the flaw comes months before Microsoft plans to end extended support for Windows 7, with organisations required to pay up to $50 (£38) per device for security updates, while home users are left completely vulnerable.
Google Chrome engineering director, Justin Schuh, said in a tweet that the company has been more vocal this time around about these kinds of security flaws, because most browser-based vulnerabilities tend to target Adobe Flash, which is updated separately on browsers like Chrome.
“Past zero days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention,” he noted.
“This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but a restart is usually a manual action.”