Google revealed a zero-day vulnerability in Windows 7, which is used in conjunction with the Chrome exploit

Google's Project Zero is well-known for detecting vulnerabilities and exploits in the Microsoft operating system, as well as for its conflicting information disclosure policies. This week, the company's cybersecurity research department again discovered an exploit in one of Microsoft’s products . However, the fact that the vulnerability is currently being used with another zero-day vulnerability in Chrome is more interesting.

The search giant has already fixed the vulnerability in its browser (CVE-2019-5786) through the update it released last Friday, and asks users to make sure that their Chrome is updated to version 72.0.3626.121 or higher.

Past 0days targeted Chrome by Flash. It was not necessary to make sure that it was a switch. [2/3]

- Justin Schuh (@justinschuh) March 7, 2019

However, unlike previous zero-day exploits, this one is more dangerous, as Chrome’s security chief executive Justin Schuh explains. While previous exploits used Flash as their first attack target, this exploit directly targets Chrome code. And therefore, this means that the fix for this exploit requires a restart of the browser by the user.

The second exploit found in the Microsoft operating system is associated with the win32k.sys core. This is a local privilege escalation in the Windows kernel driver win32k.sys , which can be used as shielding of the sandbox. The vulnerability lies in dereferencing the NULL pointer in win32k! MNGetpItemFromIndex win32k! MNGetpItemFromIndex , when the system NtUserMNDragOver() is called under certain circumstances. According to Google, the vulnerability most likely works only with Windows 7, due to Microsoft’s work on enhancing security in newer versions of Windows — Project Zero researchers were able to implement an exploit only in 32-bit versions of Windows 7.
')
Microsoft was informed about this vulnerability, which, according to Google, is being actively exploited, and Microsoft has not yet closed the vulnerability. While the vulnerability is not patched, Google recommends that users upgrade their OS to Windows 10.