WHAT'S GOING ON?
On Wednesday February 27th, Google reported two zero-day exploits involving both Microsoft Windows and Google Chrome. The two exploits would most likely be used in tandem to potentially compromise one's system.
So far, the exploits have only applied to systems running the Microsoft Windows 7 32-bit operating system. Although Microsoft has stated the vulnerabilities could affect earlier Microsoft operating systems (e.g. Windows XP, 2000, ME, 98).
The exploits are severe, but steps can be taken to mitigate the vulnerabilities.
WHAT ARE THE VULNERABILITIES?
The long answer: There is a feature within Google Chrome called "FileReader" (an API, Application Programming Interface) that allows web applications to read the contents of files stored on a user's system. Such as when a text file is uploaded to a website. A type of vulnerability known as UAF (Use-After-Free) was discovered within the FileReader API. This vulnerability takes advantage of memory corruption, potentially allowing malicious actors to insert and execute their own code.
The short answer: A malicious actor could cause a feature within the Google Chrome browser to crash. Once that occurs, the application crash could be exploited to run code of their own.
Windows win32k.sys privilege escalation
The long answer: Many browsers have built in siloed environments known as sandboxes. A sandbox allows for some applications/files to be opened but does not allow for the application/file to interact with the rest of the system. A vulnerability has recently been discovered with a Windows file known as win32k.sys. This file provides functionality for outputting graphical content to monitors, printers and other output devices. The vulnerability is a “NULL pointer dereference” in “win32k!MNGetpItemFromIndex” when “NtUserMNDragOver() system call” is called under specific circumstances. When this specific circumstance occurs, it causes an application to crash, allows for privileges to be escalated and used to escape the sandboxed environment.
The short answer: When certain information is sent to an application, the application will crash allowing a malicious actor to escalate permissions on a system. Once that occurs, the application crash could be exploited to run code of their own.
WHAT ARE THE UNKNOWNS?
While Google has released a patch. Microsoft is actively working to create a patch as well. But an ETA has not been disclosed.
WHAT SHOULD I DO?
It is important to remember that security vulnerabilities such as these are discovered every day. Thankfully, there are many individuals within the Information Security industry (such as the staff at Tech Impact) who strive to keep systems safe for all. When vulnerabilities are reported, the vendors (Google, Microsoft, Webroot, etc.) work tirelessly to patch them.
Make sure all patches are applied to your systems
In the case of the two vulnerabilities listed above, ensuring that your system and applications are up-to-date and patches/bug fixes have been applied is the first step. If you are unsure about your system(s) being updated, please reach out to your organization’s Account Manager.
Google Chrome by default has “Auto Updates” enabled. But if you are unsure if Google Chrome has updated:
- Open Google Chrome
- Click on the three dots (top right of page)
- Click on “Help”
- Click on “About Google Chrome
There will be a line that will say “Google Chrome is up to date”. If the version number is greater than or equal to Version 72.0.3626.121, the patch for CVE-2019-5786 has been applied. If the version number is less than 72.0.3626.121 please call the Help Desk to have Google Chrome updated.
Upgrade to Windows 10 Pro
If you have systems that are running Windows 7, you should be upgraded to Windows 10 Pro ASAP. Microsoft will be ending support for Windows 7 on January 14th, 2020. Which means they will no longer create new patches or security fixes for Windows 7 after that date. Windows 10 Pro is also a more secure system that will better protect your nonprofit. Please contact your Account Manager to implement this upgrade.