Can you be two-timed? Yes, at least your device can. While the latest Microsoft Patch Tuesday ended – in theory at least – the dual vulnerability exploit which included both the Google Chrome browser and Windows 7, your vulnerability is only over if you have installed the Windows patch to your device.
This double-whammy phenomenon was both rare and active. It was unusual as it had two separate vulnerabilities working together as they targeted the separate Windows and Google systems. And, it was an active zero-day exploit which was being used in the real world – not just a theoretical problem. ZDNet reported that the two zero-day vulnerabilities were used to escape Chrome’s browser sandbox and execute malicious code on targeted devices.
“Having two known zero-day security vulnerabilities at the same time in popular software used by millions of users is just what malware authors are waiting for,” said Alexander Vukcevic, Director of Avira Protection Labs. “This is a fast line to infect users computer and bypass all security measures.”
Timeline on a two-timing
As typical for vulnerabilities, public information about the developers’ patching work and the specific vulnerability is extremely limited. The goal is to not give cyber-criminals a stick with which to beat users with. The timeline began with a March 1 update from Google that included a security fix for Chrome’s FileReader. –a web API that lets websites and web apps read the contents of files stored on the user’s computer. Four days later, they announced that this was for a vulnerability already being actively exploited – and no additional information. Then two days later, on March 7, Google let the information out of the hat. Their vulnerability was being exploited in connection to a local privilege escalation in Windows 7 only. By March 12, Microsoft had included its patch in the monthly collection of patches.
You’re not finished yet
While Microsoft’s Patch Tuesday release may have fixed 64 vulnerabilities, 17 of which were rated as critical – including the above mentioned CVE-2019-0808 zero-day vulnerability; the story is not over yet. Users still have the ability in many cases to download and install the patches – or they can procrastinate. That is another security risk to think about. “The time between when new critical vulnerabilities become known and users install the required updates is immediately used by new malware as it exponentially increases the likelihood of a successful infection,” explained Vukcevic.
Time to update your device or get an updater to do it for you.