ZDNet reported that the two zero-day vulnerabilities were used to escape Chrome’s browser sandbox and execute malicious code on targeted devices.
“Having two known zero-day security vulnerabilities at the same time in popular software used by millions of users is just what malware authors are waiting for,” said Alexander Vukcevic, Director of Avira Protection Labs. “This is a fast line to infect users computer and bypass all security measures.”
As typical for vulnerabilities, public information about the developers’ patching work and the specific vulnerability is extremely limited. The goal is to not give cyber-criminals a stick with which to beat users with. The timeline began with a March 1 update from Google that included a security fix for Chrome’s FileReader. –a web API that lets websites and web apps read the contents of files stored on the user’s computer. Four days later, they announced that this was for a vulnerability already being actively exploited – and no additional information. Then two days later, on March 7, Google let the information out of the hat. Their vulnerability was being exploited in connection to a local privilege escalation in Windows 7 only. By March 12, Microsoft had included its patch in the monthly collection of patches.
While Microsoft’s Patch Tuesday release may have fixed 64 vulnerabilities, 17 of which were rated as critical – including the above mentioned CVE-2019-0808 zero-day vulnerability; the story is not over yet. Users still have the ability in many cases to download and install the patches – or they can procrastinate. That is another security risk to think about. “The time between when new critical vulnerabilities become known and users install the required updates is immediately used by new malware as it exponentially increases the likelihood of a successful infection,” explained Vukcevic.
Time to update your device or get an updater to do it for you.