HomeWinBuzzer NewsGoogle Project Zero Discloses Windows 7 Zero-Day Vulnerability

Google Project Zero Discloses Windows 7 Zero-Day Vulnerability

According to Google Project Zero, Microsoft’s Windows 7 platform has a kernel flaw in 32-bit versions that gives bad actors escalating privileges.

-

has often been at odds with over the way it reports bugs in services. With that in mind, Microsoft will likely be unhappy to see the latest report about a vulnerability that is being used in conjunction with a exploit.

Project Zero was created to find zero-day flaws in Google software and services from other companies. It has been running since 2015, and Google says it is supposed to push companies into responsibility over security.

When it finds a flaw, Project Zero will warn the vendor and give them 90 days to create a patch. If that 90-day limit passes, Google will disclose the flaw publicly.

Google says it has already patched the exploit in Chrome (CVE-2019-5786) last Friday. Users should be on version 72.0.3626.121 of higher to avoid the problem. However, Microsoft's Windows 7 is still vulnerable due to the flaw in the win32k.sys kernel.

Project Zero describes the vulnerability as an escalation of privilege attack. The team believes it only affects Windows 7, Microsoft's aging OS that will sunset in January 2020. Microsoft's improved security on newer Windows 8.1 and platforms ensures those OS's are safe.

Microsoft knows about the vulnerability and Google says the company is working on a fix, although it is not available yet. Until mitigations are launched, Google says users to update to Windows 10 to avoid the problem.

Project Zero and Microsoft

Microsoft's problem with Google Project Zero has not been that the team finds vulnerabilities, but how it reports them. Project Zero has previously found issues in Windows 10 and the Microsoft Edge browser.

Under Project Zero's model, the team gives companies 90-days to fix a problem before making it public. Microsoft has criticized this approach, suggesting Google should work with companies to find fixes instead of imposing deadlines upon them.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News