News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

    Posted on March 8th, 2019 at 07:03 woody Comment on the AskWoody Lounge

    Now I understand.

    Google releases patches for its Chrome browser all the time. As @b explained about 36 hours ago, Google sent out a special alert to get Chrome updated specifically to head off a 0day attack.

    I didn’t get too excited about it because Chrome automatically updates itself quite reliably, and because the threat didn’t seem to be all that great.

    A few hours ago, Clement Lecigne of the Google Threat Analysis Group added some key details:

    On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together.

    To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

    The second vulnerability was in Microsoft Windows. It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.

    We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

    Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.

    As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.

    Google’s vulnerability disclosure policy says, to a first approximation, that it gives software manufacturers 90 days to fix a security hole, and if no fix appears, they disclose the details.

    It’ll be interesting to see how Microsoft reacts.

    UPDATE: Catalin Cimpanu has a thorough timeline on ZDNet.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

    Tagged: , ,

    This topic contains 11 replies, has 6 voices, and was last updated by  anonymous 1 month, 2 weeks ago.

    • Author
      Posts
    • #338849 Reply

      woody
      Da Boss

      Now I understand. Google releases patches for its Chrome browser all the time. As @b explained about 36 hours ago, Google sent out a special alert to
      [See the full post at: Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day]

      9 users thanked author for this post.
    • #338858 Reply

      Microfix
      Da Boss

      How Microsoft will react is to include a fix in SMQR and SO patches and say nothing but document it a week later for respective patches. One thing for sure, it won’t be documented immediately upon patch release so a week is giving them the benefit of the doubt.
      Opaque Transparency 🙂

      | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
      5 users thanked author for this post.
    • #338883 Reply

      anonymous

      I m a little confused. What is a Windows 7 0 day?

      • #338906 Reply

        brian1248
        AskWoody Lounger

        A zero-day vulnerability is one for which there are active exploits even before it was announced.  In other words, the “bad guys” knew about the bug and were actively exploiting it before the vulnerability was patched or even known about.  Therefore, once it is discovered by the “good guys”, and before it can be patched, there are zero days before attacks using it will occur.

        Many vulnerabilities (other than zero day vulnerabilities) have no active exploits and it could be many days or weeks before an exploit becomes available.

        5 users thanked author for this post.
    • #339001 Reply

      anonymous

      Thanks on the o day explanation

    • #339037 Reply

      anonymous

      This is great for others but what about persons stuck on Vista and using an “unsupported” chrome? There was a time where the security of the internet was critical on all being updated so the “virus” could not easily spread. Is that still true? Are these exploits done in old code or the current “patched” one? Is it even likely that a non patched computer or browser could be more secure then a patched one?

      If the Above is true “There was a time where the security of the internet was critical on all being updated so the “virus” could not easily spread”, then would it not be in the interest of keeping ALL patched regardless of OS version or Browser Version? After all then a ‘unprotected’ browsers could in theory infect all others.

      • #339176 Reply

        anonymous

        You stick with old programs, your risk is increased but that doesn’t mean you will be hit. Generally,  you (as in the person behind the keyboard) needs to do something that triggers the virus.

        Very dated but possibly helpful article

        Another possibly useful article

        The problem with  zero-day malware is your AV program will not ‘see’ it. Even VirusTotal is likely to report the file/link containing the malware is clean. So, occasionally run a demand scanner (examples: Malwarebytes; Superantispyware).

        Something else that can function as a demand scanner on running processes is Sysinternals Process Explorer – look through the menu options options. Sysinternals Autoruns also has the VirusTotal option.

        1 user thanked author for this post.
    • #339043 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      “As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.”

      It makes one wonder, as I have through the decades, if MSFT was the source of some of these problems…great way to encourage “Updating your OS”!

      “…when they become available”….what a laid back, ho-hum, indefensible attitude when a 0-day is in the wild!

      Life sure looks different from underneath the bus…

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov from "Logan's Run")

      1 user thanked author for this post.
      • #339085 Reply

        anonymous

        Yep, the advisement to begin using Windows 10 as the mitigation looks evil and suggests collusion.

        It also seems somebody at Microsoft quietly fixed that error not informing anybody else or there is actually a overall useful “tail covering” feature that mitigates the bug which still exists inside Windows 10.

    • #339189 Reply

      EP
      AskWoody_MVP

      reaction from Born’s blog:

      https://borncity.com/win/2019/03/08/kritische-chrome-schwachstelle-bedroht-32-bit-windows-7/

      check out the last sentence on there that says “The recommendation of the Google developers to migrate to Windows 10 because of the bug seems to me as a bad joke.”

      1 user thanked author for this post.
    • #339195 Reply

      anonymous

      I wonder if you were using another browser besides Chrome? Would you be exposed?

      MS will patch this eventually and maybe create another problem and then fix it up the following month.

      • #339217 Reply

        anonymous

        Yes. I grudgingly admit Google is acting in good faith here. Because their product contributes to the exposure, they admit it openly and describe the broader problem as well. More information is better than less information. Of course it helps that they seem to have already patched their part.

        Which actually means the opposite of your question. Chrome browser is now the one browser we know has been patched.

        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Cancel