Google recommends users of Windows 7 to give it up and move to Microsoft’s latest operating system if they want to keep systems safe from a zero-day vulnerability exploited in the wild. The security bug affects Windows win32k.sys kernel driver and leads to privilege escalation on Windows 7. Google saw the Windows vulnerability in targeted attacks, chained with a zero-day vulnerability (CVE-2019-5786) in Chrome browser that received a patch on March 1 with the release of version 72.0.3626.121. The kernel driver vulnerability could also serve for sandbox escaping when chained with other browser security faults, so Windows users could still be impacted even if they applied correctly the most recent update for Google Chrome. Exploitation of the vulnerability in the wild targeted Windows 7 systems. Google believes that this is the only version of the OS where it works because the exploit mitigations Microsoft introduced in the newer versions of OS, Windows 10 in particular, would prevent it. If you still run an older version of Windows, the recommendation is to upgrade to Windows 10 and keep it updated with the newest patches. “The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances,”  writes Clement Lecigne, member of Google’s Threat Analysis Group. Further details are posted on OUR FORUM.

Scammers pretending to be employees of the Social Security Administrations have caused last year losses of at least $16.6 million. Reports of the SSA scam have skyrocketed last year, records from the US Federal Trade Commission showing that there were over 63,000 reports of this particular fraud since January 2018. This is almost 20 times more than the reports recorded in 2017 when 3,200 people called about the SSA voice phishing (vishing). That year, the money losses were close to $210,000. Even if the latest official statistics are worrying, the actual numbers are likely higher because not all the victims register a complaint. Fraudsters come up with all sorts of reasons to elicit information from the victims or make them lose money. The purpose of the scam is to get the victim to send money through non-conventional methods or to obtain sufficient information that could be used for identity theft or applying for loans. There are multiple variations of the SSA phone fraud, but they all have some things in common. Pretending to be an SSA employee, the scammer at the other end of the line explains that the call was prompted by suspicions of crime-related activities or that someone used it to apply for credit cards. The deceit is further fueled by the fact that swindlers spoof the number of the SSA to make it look like the call is legitimate. Learn more by visiting OUR FORUM.