Google security officials are advising Windows users to ensure they're using the latest version 10 of the Microsoft operating system to protect themselves against a "serious" unpatched vulnerability that attackers have been actively exploiting in the wild. Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday
. While that specific exploit combination won't be effective against Chrome users who are running the latest browser version, the Windows exploit could still be used against people running older versions of Windows. The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome's FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances.