⚠️Chrome and Windows zero-day update, including CVE-2019-5786
Google has issued a more detailed announcement regarding CVE-2019-5786. This announcement includes new information about how the vulnerability was being exploited in the wild. The Chrome exploit was combined with a Windows 7 zero-day that remains unpatched. The Windows vulnerability permits local privilege escalation.
Google believes that security additions in Windows 10 makes attacks against the newer OS unrealistic, if not impossible:
"We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems."
As it's likely that no patch will be available for the Windows 7 vulnerability for some time, Google's only mitigation advice is to upgrade to Windows 10:
"As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available."
No IOCs or alternative mitigations have been disclosed.