USERS OF Windows 7 are being urged to upgrade to Windows 10 following the discovery of a zero-day privilege escalation flaw - not by Microsoft, but by Google
The flaw, which is already being exploited in targeted attacks in the wild, according to Google security researchers, affects the Windows win32k.sys kernel driver.
According to Google, attacks combining the recently-patched security flaw in Google's Chrome web browser with the win32k.sys privilege escalation flaw have been observed. They believe that the Windows security flaw only affects the Windows 7 operating system.
"We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems. To date, we have only observed active exploitation against Windows 7 32-bit systems," warned Clement Lecigne, a security engineer in Google's Threat Analysis Group.
"When we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes."
Microsoft, he added, is working on a fix in Windows 7, but systems could be vulnerable to online 'drive by' attacks until the company provides a fix or some form of mitigation.
News of the vulnerability comes just ten months before Microsoft formally ends extended support for Windows 7, with organisations required to pay up an extra $50 per PC for security updates from then - but home users left completely vulnerable.
Google Chrome engineering director Justin Schuh said that the company had been more vocal than normal in its warnings about these security flaws because most browser-based exploits target Adobe Flash, which is updated separately from Chrome.
"Past zero days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention," he noted.
"This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action." µ
Home, Home on the strange
Team Red is prepping Navi for the budget GPU arena
Early-adopters beta be careful
China back in your hands