Clement Legine from Google’s Threat Analysis Group published a blog post today mentioning the details of the Chrome zero-day bug that affected Chrome browser and put users at a major security risk.
Last week, Google released a patch to address Chrome vulnerability (CVE-2019-5786) and the search giant advised users to update their browser immediately to evade any security threat. The company did not divulge much details about the bug that time other than the fact that the vulnerability was related to the FileReader API of Chrome that allows web apps to read the content of files stored on users’ computers.
Fresh details have surfaced in today’s blog post. The post says that the bug that was patched last week could be used together with another Microsoft Windows zero-day vulnerability.
Detailing the Microsoft Windows zero-day bug, Legine said, “It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.”
Google found that this vulnerability could only be exploited on Windows 7 PCs, particularly Windows 7 32-bit systems.
Windows zero-day bug has still not been patched and it could still be combined with another browser vulnerability. Google has advised that users must upgrade to Windows 10 as soon as possible to evade any possible security risks.