If your computer is still on Windows 7, listen up! Google is now recommending Windows 7 holdovers to upgrade their systems to Windows 10 to protect their systems from two nasty zero-day bugs that attackers are already actively exploiting.
Fun fact: Although Windows 7 is scheduled to be retired less than a year away on Jan. 14, 2020 (Microsoft will end Windows 7 support on that day), around 43% of Windows computers are still running it.
Remember, we told you about the previously unknown Google Chrome security flaw yesterday. Note: To ensure that your Chrome browser is protected from this zero-day, please double check if you are already in its latest version, 72.0.3626.121.
Although Google already released a patch to fix this particular Chrome zero-day exploit last week, it appears that hackers are pairing this with another zero-day bug that is believed to be only exploitable on Windows 7 machines.
Refresher: Zero-days are computer security flaws that are already being exploited by hackers before the software developers are even aware of them.
Windows 7 zero-day bug exposed
According to Google’s security advisory, this particular Windows 7 vulnerability is a local privilege escalation in what is known as the “win32.sys” kernel driver, a critical component in Windows 7 32-bit systems.
Attackers can then use this security flaw to escape a Windows 7 system’s sandboxing protections and run malicious code. Google said that even with the latest Chrome patch, Windows 7 machines could still be impacted by this exploit.
“We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Google wrote. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”
As of this writing, there’s still no patch for this Windows 7 zero-day bug so as “mitigation advice,” Google recommends that users upgrade to Windows 10 and apply patches as soon as they become available.
Note: Macs, Windows 10 and Linux machines with the latest version of Chrome should be safe from these zero-day exploits.
Your move, Microsoft
Clement Lecigne, the Google researcher credited for the discovery of the flaw, wrote that in line with Google’s vulnerability disclosure policy, the vulnerability was reported to Microsoft as soon as it was found.
And also in line with its policy, Google has publicly disclosed the existence of the flaw since it is a serious security issue that is already being actively exploited in targeted attacks.
In response, Microsoft said that they are currently working on a fix. However, there’s still no word on when the patch will arrive.
In the meantime, to protect yourself from the latest zero-day attacks, it’s best to refrain from using your 32-bit Windows 7 machine until Microsoft confirms the rollout of the patch. Or better yet, take Google’s advice and upgrade to Windows 10 immediately.