Trending CVEs for the Week of March 11th, 2019

Google Chrome Zero-Day Vulnerability (CVE-2019-5786) & Two New Actively Exploited Windows Zero-Day Vulnerabilities

Description

On February 27th, security engineers from the Threat Analysis Group at Google reported two zero-day vulnerabilities – one affecting Google Chrome (CVE-2019-5786) and another affecting Microsoft Windows 7 (CVE-2019-0808). According to them, the two vulnerabilities were being chained together to escape the Chrome browser sandbox and execute malicious code. There are very few technical details on CVE-2019-5786, other than it being a use-after-free vulnerability in FileReader component of Chrome browser. Google released an update for Google Chrome on March 1st, and pushed it through Chrome auto-update.

The second vulnerability is a local privilege escalation in the Windows win32k.sys kernel driver that can be used to escape security sandboxes when combined with browser vulnerabilities such as this new Chrome vulnerability. That one took longer to patch.

Google detailed that they observed active exploitation and targeted attacks against Windows 7 32-bit systems. They first reported it to Microsoft, and then publicly disclosed it in their Security Blog on March 7th – while the Windows vulnerability was still unpatched by Microsoft. At the time, Google advised upgrading to Windows 10. Microsoft finally released security updates addressing this vulnerability (CVE-2019-0808) as a part of this week’s Patch Tuesday. The updates address 64 different vulnerabilities, 15 of which have been marked as Critical, and two are zero-day vulnerabilities, known to have been actively exploited in the wild (for details, see the BleepingComputer report).

The second zero-day vulnerability addressed in those updates is yet another elevation of privilege vulnerability, CVE-2019-0797, discovered by Kaspersky.

As is often the case with trending vulnerabilities, all three CVEs are still reserved according to MITRE with no details published in the NVD as of March 13, 2019.

Affected Products

  • CVE-2019-5786 affects Google Chrome prior to version 72.0.3626.121.
  • CVE-2019-0808, Win32k elevation of privilege vulnerability – the zero-day reported by Google to be exploited together with the Chrome vulnerability, affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
  • CVE-2019-0797, another Win32k elevation of privilege vulnerability reported by Kaspersky, affects Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server version 1709, and Windows Server version 1803.
  • Microsoft vulnerabilities patched as part of March 2019 Security Updates affect a range of software including Adobe Flash Player, Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office SharePoint, ChakraCore, Team Foundation Server, Skype for Business, Visual Studio, NuGet.

Exploitation and Risk

  • Google confirmed that CVE-2019-5786 (Chrome) was actively exploited in the wild along with the Microsoft 7 zero-day vulnerability (CVE – 2019 – 0808).
  • According to Kaspersky, CVE-2019-0797, the second zero-day Windows vulnerability that was reported by them, has been used by several threat actors including FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new threat actor Kaspersky discovered recently.

Fixes

  • To remediate the Chrome vulnerability (CVE-2019-5786), Google pushed an update to Chrome. Users should verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.
  • To patch other Microsoft vulnerabilities, follow Microsoft Security Updates.

References

Google Security Blog

Kaspersky Report on CVE-2019-0797 (Zero-Day Windows Vulnerability)

BleepingComputer Report on March 2019 Microsoft Patch Tuesday

Microsoft Security Updates