[German]The critical vulnerability reported in February 2019 has been closed on March 1, 2019 by a Google Chrome browser update. This vulnerability is active exploited in the wild, but only on 32-bit versions of Windows 7. Here are a few details.
Vulnerability CVE-2019-5786 in FileReader
I had reported some information about CVE-2019-5786 yesterday within my blog post Google Chrome 72.0.3626.121 closes critical vulnerability. In older Chrome 72 versions, there is a vulnerability CVE-2019-5786 in FileReader that is classified as high. This vulnerability allows third parties to access files stored locally on the device from maliciously crafted web pages via the browser’s FileReader API. According to various websites, this could also be used to take over the device or to trigger a denial of service condition.
Google did not provide details of the vulnerability at the time. However, it became known that this vulnerability is actively attacked ‘in the wild’. An update to the current Chrome version 72.0.3626.121 is therefore required.
Only 32-bit Windows 7 is at risk
On 7 March 2019, Google published the article Disclosing vulnerabilities to protect users across platforms in its security blog, which sheds more light on the situation. Already on Wednesday, 27 February, Google developers reported on two 0-day exploits that were previously unknown to the public. One of the vulnerabilities (CVE-2019-5786) was located in Google Chrome.
To fix the Chrome vulnerability, Google released an update for all Chrome platforms on March 1. This update was installedthrough the automatic Chrome update. Chrome developers recommend users to make sure that their browser has been automatically updated to 72.0.3626.121 or higher.
The other vulnerability is located in Microsoft Windows 7. In the attacks observed, both vulnerabilities were exploited together. The Windows vulnerability is a local privilege extension vulnerability in the Windows win32k.sys kernel driver. This can be used to break out of security sandboxes. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex if the system call NtUserMNDragOver() is called under certain circumstances.
Chrome developers firmly believe that this vulnerability can only be exploited on Windows 7, because the vulnerability has been fixed in newer versions of Windows. So far, Google security experts have observed only active exploitation in attacks against Windows 7 32-bit systems.
I expect Microsoft to patch the vulnerability on Tuesday 12 March 2019. Until then, users of a Windows 7 32-bit version shall avoid Chrome or update their browser. The recommendation of the Google developers to migrate to Windows 10 because of the bug seems to me as a bad joke.