Google: Upgrading to Windows 10 will not help our Chrome fix
On February 27, Google reported two day zero-bugs-both active in the wild, and previously unknown. One affects the Chrome browser (CVE-2019-5786) and the other Windows, but can be exploited together by cybercriminals.
Google released some fixes for Chrome, version 72.0.3626.121, on March 1, but they can not do as much about the bug in Windows as Microsoft’s task is to fix and fix. What Google can do only affects 32-bit versions of Windows 7.
The Windows 7 bug provides local privilege escalation in the Windows win32.sys kernel driver and can be exploited to access the security sandbox that Chrome is running. The vulnerability in question is a NULL pointer error that may occur in win32k under certain circumstances! MNGetpItemFromIndex when the system call NtUserMNDragOver () is called.
Clement Lecigne writes on Google’s official security blog that they report the Windows bug to Microsoft, but it is also possible to publish about its existence, because they believe that it is a matter of a serious vulnerability that actively exploits it in the wild. Microsoft has responded that Google is working to develop and fix.
But Google also goes so far as to recommend the use of Windows 7 to transfer the older operating system and upgrade to Windows 10. These bugs, Google says, as far as they can see, can not be exploited in Windows 10.
Google, on the other hand, has, according to Becoming computer, failed to inform users that updating Chrome to version 72.0.3626.121 is not enough, but must also restart the browser, otherwise the new code may not be entered.
Also read:
Google patches active day-zero attack on Chrome
Leak within Microsoft: Upcoming Edge uses Chrome extensions