Windows 7 Users At Risk From ‘Serious Bug’, Google Warns

Google has warned users of a couple serious zero-day vulnerabilities that affects both Windows and Google Chrome users.

Google said it has already rushed out a patch for the flaw affecting Google Chrome, but it warned that Windows 7 users remain vulnerable as Microsoft has yet to fix the bug.

To make matters worse, Google warned that criminals are “actively exploiting” the flaws and it urged people to apply the Chrome fix as soon as possible.

Windows flaw

Google explained in a blog posting that it had issued its Chrome update at the start of the month.

“This update was pushed through Chrome auto-update,” wrote Clement Lecigne of Google’s Threat Analysis Group. “We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.”

“The second vulnerability was in Microsoft Windows,” wrote Lecigne. “It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.”

Essentially the flaw is located deep within the OS and affects a function that should stop data from one program interacting with something outside that application.

“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne added. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”

“Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft,” Lecigne wrote.

“Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”

Google said that Microsoft had informed them that it is working on a fix.

Lecigne also advised Windows 7 users to upgrade to Windows 10 to avoid the flaw.

One way to avoid falling victim was to upgrade to Windows 10, said Mr Lecigne.

Legacy OS

The flaw is a stark reminder of the risk posed by the continued use of legacy operating systems.

Windows 7 was released back in 2009, and there are still millions of PC still running the OS, in both corporate and personal environments.

Microsoft ditched support for even older operating systems years ago. Support for Windows Vista ended in 2017 for example.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago