Trending CVEs for the Week of March 11th, 2019
- Mar 13, 2019
- Shawn Evans
On February 27th, security engineers from the Threat Analysis Group at Google reported two zero-day vulnerabilities – one affecting Google Chrome (CVE-2019-5786) and another affecting Microsoft Windows 7 (CVE-2019-0808). According to them, the two vulnerabilities were being chained together to escape the Chrome browser sandbox and execute malicious code. There are very few technical details on CVE-2019-5786, other than it being a use-after-free vulnerability in FileReader component of Chrome browser. Google released an update for Google Chrome on March 1st, and pushed it through Chrome auto-update.
The second vulnerability is a local privilege escalation in the Windows win32k.sys kernel driver that can be used to escape security sandboxes when combined with browser vulnerabilities such as this new Chrome vulnerability. That one took longer to patch.
Google detailed that they observed active exploitation and targeted attacks against Windows 7 32-bit systems. They first reported it to Microsoft, and then publicly disclosed it in their Security Blog on March 7th – while the Windows vulnerability was still unpatched by Microsoft. At the time, Google advised upgrading to Windows 10. Microsoft finally released security updates addressing this vulnerability (CVE-2019-0808) as a part of this week’s Patch Tuesday. The updates address 64 different vulnerabilities, 15 of which have been marked as Critical, and two are zero-day vulnerabilities, known to have been actively exploited in the wild (for details, see the BleepingComputer report).
The second zero-day vulnerability addressed in those updates is yet another elevation of privilege vulnerability, CVE-2019-0797, discovered by Kaspersky.
As is often the case with trending vulnerabilities, all three CVEs are still reserved according to MITRE with no details published in the NVD as of March 13, 2019.