Advertisement
Subscribe to our daily newsletter.
Subscribe

Google researchers uncover two zero-days affecting Chrome, Windows

Both vulnerabilities could allow hackers to escape the “sandboxes” that software programs use as safeguards against malicious activity.

By

Google Chrome
Researchers believe hackers used Chrome extensions and other malicious tools — along with domains issued by a single registrar — to spy on computer users. (Getty Images)

Researchers at Google have found previously unkown vulnerabilities – one in Google Chrome and the other in Microsoft Windows – that they say attackers have been exploiting in tandem.

Both zero-day vulnerabilities could allow hackers to escape the “sandboxes” that software programs use as safeguards against malicious activity.

The vulnerability in Chrome, the web’s most popular browser, affects Chrome’s FileReader API, and could allow an attacker to carry out remote code execution. The Windows vulnerability, which Google researchers had been exploited on Windows 7, could give a hacker the ability to escalate privileges on a certain Windows kernel driver, letting the attacker break out of a security sandbox.

Google has released a patch for the Chrome vulnerability, while Microsoft is still working on its own, according to Clement Lecigne, a researcher with Google’s Threat Analysis Group.

Advertisement

“The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes,” Lecigne wrote in a blog post Thursday.

Users should upgrade to the latest versions of Chrome. For those with older versions of Windows, consider installing Windows 10, Lecigne said.

Justin Schuh, who leads Chrome’s security team, said the exploit is different from others in that it targets Chrome code directly, requiring users to restart the browser after patching.

https://twitter.com/justinschuh/status/1103763266445037568

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Google Chrome’s logo is seen at Google’s annual developer conference, Google I/O, at Moscone Center in San Francisco on June 28, 2012 in California. AFP PHOTO / Kimihiro Hoshino (Photo credit should read KIMIHIRO HOSHINO/AFP/GettyImages)

Researchers find decades-old vulnerability in major web browsers 

The flaw, called ‘0.0.0.0 day,’ has to do with how browsers handle network requests.
By Greg Otto

Latest Podcasts

Special CyberTalks Edition with National Cyber Director Harry Coker

Image of a microphone for a podcast series

Tackling AI-powered threats with zero trust and least privilege access

Securing the Skies: Aerospace Cybersecurity with David Brumley

Verizon’s Lamont Copeland on defending against the expanding attack surface

Government

Technology

Threats

Geopolitics