Google engineers have identified a vulnerability in a Chrome patch that cyberterrorist can exploit to gain illegal access to devices.
Clement Lecigne, a member of Google's Threat Analysis Group, posted an article on the company's blog revealing that a Chrome zero-day patch was used together with a zero-day patch for Windows 7 in cyber attacks.
Attackers used both zero-days to launch malicious code and take over vulnerable systems.
Google discovered the vulnerability was related to CVE-2019-5786, a security flaw that was included in the Chrome 72.0.3626.121 version patch released on March 1.
The second vulnerability was linked to a local privilege escalation in the win32k.sys kernel driver, which Lecigne said can be used as a security sandbox escape.
"We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows," the Google engineer wrote.
"To date, we have only observed active exploitation against Windows 7 32-bit systems."
Google said Microsoft is already working on a fix to address the vulnerability but no word yet on when it will come out.
Meanwhile, Chrome Security and Desktop Engineering Lead Justin Schuh urged users to update their web browsers to the latest 72.0.3626.121 version to prevent security issues. This can be done using Chrome's built-in update tool.
"Seriously, update your Chrome installs... like right this minute," Schuh wrote on Twitter.
What Are Zero-Day Exploits?
In February, Microsoft security engineer Matt Miller revealed that around 70 percent of patches the company released over the past 12 years were meant to fix memory safety bugs.
He explained that this is because Windows was built mostly using C and C++ programming languages that are considered "memory-unsafe". Both provide developers with better control over memory addresses where codes can be executed.
However, one mistake in the management of memory codes can result in a multitude of safety errors. These can then be exploited by cyberterrorists to create havoc in systems such remote executions of codes or elevation of privilege flaws.
Miller said attackers often make use of use-after-free programs and heap corruption vulnerabilities to exploit safety errors. They tend to capitalize on the availability of these errors in many systems.
Here are some examples of zero-day exploits that have already been identified:
CVE-2017-8759 - a SOAP WSDL parser code injection believed to be linked to Microsoft Office RTF documents.
CVE-2017-0261 - a "restore" use-after-free vulnerability related to Encapsulated PostScript (EPS).
CVE-2016-0167 - a local privilege escalation exploit that victimized hundreds of Windows users in North America
CVE-2016-1019 - a critical security flaw related to Adobe Flash Player and earlier Windows, Macintosh, Linux, and Chrome OS versions.
How To Prevent Zero-Day Exploits
Anti-virus developer Norton advises consumers to follow a checklist to ensure that information on devices are safe from security risks and zero-day vulnerabilities.
Make sure to download the latest software and security patches for devices. Installing updates help keep systems up-to-date and free from potential bugs.
Maintain safe and effective personal online security habits.
Keep operating systems, internet browsers, and softwares secure by configuring their protection settings.
Install a proactive and comprehensive protection software for devices to block all potential threats and vulnerabilities.