An advisory is being issued to users who use both Windows 7 and Chrome. It is recommended that users upgrade to Windows 10 and the latest version of Chrome. This comes after a 0-day was disclosed in Chrome that composes of a bug in Chrome’s filereader. The attack which was found in the wild by Google security researchers exploits a flaw in the win32k.sys kernel driver that allows an attacker to break out of a browser sandbox that Chrome uses to separate untrusted code with a computer operating system (OS) CVE-2019-5786.
This 0-day in Windows 7 was originally reported by Google's security team on 2-27-2019 which is unpatched as of the making of this article. The unpatched 0-day has been disclosed by Google’s Security team on 3-5-2019 in Chrome Releases, Google's Chrome blog. This is in correlation with Google’s vulnerability disclosure policy. According to Google’s security team, it is believed to only affect Windows 7 32-bit OS systems.
Justin Schuh, a Lead Security and Desktop Engineer tweeted on why this attack is so prominent. He stated that most 0-day attacks target the flash plugin used in the browser but in this attack, the perpetrators targeted Chrome's code itself.
The patch for Chrome’s 0-day has been released but it requires a Chrome browser update. A patch for Windows 7 has not been released but it is strongly advised for users to upgrade to Windows 10 to mitigate this risk.