Google urges Windows 7 users to shift to Windows 10 following discovery of zero-day security flaw

Attacks combining zero-day win32k.sys privilege escalation flaw with 'high severity' Google Chrome spotted in the wild

Users of Microsoft's Windows 7 operating system have been urged to upgrade to Windows 10 following the discovery of a zero-day privilege escalation flaw - not by Microsoft, but by Google

The flaw, which is already being exploited in targeted attacks in the wild, according to Google security researchers, affects the Windows win32k.sys kernel driver.

According to Google, attacks combining the recently patched security flaw in Google's Chrome web browser with the win32k.sys privilege escalation flaw have been observed. They believe that the Windows security flaw only affects the Windows 7 operating system.

On Wednesday, Computing reported news of the Google Chrome security flaw, but also noted that details about it had been withheld. Now, the company has provided more details.

"We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems. To date, we have only observed active exploitation against Windows 7 32-bit systems," warned Clement Lecigne, a security engineer in Google's Threat Analysis Group.

He continued: "When we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes."

Microsoft, he added, is working on a fix in Windows 7, but systems could be vulnerable to online ‘drive by' attacks until the company provides a fix, or some form of mitigation.

News of the vulnerability comes just ten months before Microsoft formally ends extended support for Windows 7, with organisations required to pay up an extra $50 per PC for security updates from then - but home users left completely vulnerable.

Google Chrome engineering director Justin Schuh said that the company had been more vocal than normal in its warnings about these security flaws because most browser-based exploits target Adobe Flash, which is updated separately from Chrome.

"Past zero days targeted Chrome by using Flash as the first exploit in the chain. Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention," he noted.

"This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action."

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.