Google recommends upgrading to Windows 10 to avoid unpatched Windows 7 zero-day that's being actively exploited
Google is warning users of Windows 7 that they are at risk from a privilege escalation zero-day bug -- and the advice is to upgrade to Windows 10 as there is no patch currently available for the actively exploited vulnerability.
The problem stems from two vulnerabilities being exploited in combination -- one in Chrome, and one in Windows. Having pushed out a patch to its Chrome web browser, Google is warning that Windows 7 users are still exposed until such a time as Microsoft develops a patch.
- Speed up Windows 10 with the Retpoline Spectre fix
- Google Project Zero reveals 'high severity' macOS vulnerability that Apple has failed to patch
- Dirty_Sock vulnerability in Canonical's snapd could give root access on Linux machines
Google noticed the Windows 7 vulnerability when it detected another vulnerability in Chrome (CVE-2019-5786). The two vulnerabilities were being exploited in combination, and Google has only been able to develop a fix for its own software. Microsoft was informed about the Windows 7 vulnerability, but is yet to develop a patch.
Writing about the problem Clement Lecigne from Google's threat analysis group says:
Pursuant to Google's vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.
He also explains the form the Windows 7 vulnerability takes:
It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.
We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.
As the vulnerability is being exploited in the wild and there is no fix available, the advice is to upgrade to Windows 10. Microsoft has given no indication of when a Windows 7 patch will be ready.