Contact Contact Us

WEEKLY COMMENTS

Google's Threat Analysis Group has revealed that the Chrome patch issued on 1 March was to address a zero-day vulnerability (CVE-2019-5786) that was used together with a Windows 7 zero-day flaw to run malicious code in vulnerable systems. CVE-2019-5786 is a use-after-free bug in Chrome's FileReader, an API in the browser that allows web applications to read local file content. When use together with the zero-day bug in win32.sys kernel driver, an attacker can escape Chrome security sandbox and run commands on the underlying operating system. Both zero-days have been observed in targeted attacks in the wild and users should apply the latest Chrome patch (Chrome 72.0.3626.121) to mitigate against potential attacks. Google has informed Microsoft of the vulnerability in Windows 7 and the flaw is expected to be patched during March Tuesday Patch.

References:
[1] Disclosing Vulnerabilities to Protect Users Across Platforms

Ensign InfoSecurity Singapore
30A Kallang Place
#08-01
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883