Microsoft is warning its users of a new Windows zero-day vulnerability that attackers are actively exploiting in the wild in combination with a Chrome exploit.
Microsoft’s December security updates include patches for a total of 36 vulnerabilities, where 7 are critical, 27 important, 1 moderate, and one is low in severity.
Tracked as CVE-2019-1458, the newly patched zero-day Win32k privilege escalation vulnerability, reported by Kaspersky, was used in Operation WizardOpium attacks to gain higher privileges on targeted systems by escaping the Chrome sandbox.
According to Kaspersky researchers, the Chrome use-after-free exploit was chained together with the newly patched EoP flaw that exists in the way the Win32k component in Windows OS handles objects in memory.
The EoP exploit works on “the latest versions of Windows 7 and even on a few builds of Windows 10” and, if successfully exploited, could allow an attacker to run arbitrary code in kernel mode.
Other vulnerabilities patched by Microsoft this month and marked as important reside in the following Microsoft products and services:
- Windows Operating System
- Windows Kernel
- Windows Remote Desktop Protocol (RDP)
- Microsoft Word
- Microsoft Excel
- Microsoft SQL Server Reporting Services
- Microsoft Access software
- Windows GDI component
- Windows Hyper-V
- Windows Printer Service
- Windows COM Server
- Windows Media Player
- Windows OLE
- Visual Studio Live Share
- Microsoft Authentication Library for Android
- Microsoft Defender
- Skype for Business and Lync
- Git for Visual Studio
For installing the latest Windows security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your PC, or you can install the updates manually.