Severity

High

Analysis Summary

A Google Chrome 0-day was first exploited in online attacks called Operation WizardOpium attacks ( the 0-day was assigned CVE-2019-13720). Google released Chrome version 78.0.3904.87 for Windows to patch this vulnerability.

Recently, WizardOpium has chained this Chrome 0-day with another Windows 0-day (CVE-2019-1458), which is being exploited to acquire privilege escalation on targeted systems by escaping the Chrome sandbox. This windows zero-day (Win32k) privilege escalation vulnerability has been patched in Microsoft December updates.

Impact

• Code execution
• Privilege Escalation

Affected Vendors

• Google
• Microsoft

Affected Products

• Windows
• Google Chrome

Remediation

• Update any computers running Windows 7 or Windows Server 2008 R2 (support ends for both on January 14th, 2020.
• Immediately update to Chrome version 78.0.3904.87 for Windows.
• Immediately update Windows to secure version. For installing the latest Windows security updates, you can head on to Settings > Update & Security > Windows Update > Check for updates on your PC, or you can install the updates manually.