Security researchers at Google and Microsoft have observed attackers using a combination of a patched Chrome vulnerability and an unpatched Windows vulnerability to take advantage of Windows 7 systems. The announcement of the issue comes as part of their responsible vulnerability disclosure policy.
The Windows bug is a null pointer dereference in the win32k.sys kernel driver, while the Chrome bug is a use-after-free in the FileReader component. Both of these bugs deal with accessing memory that should not be accessed by the user.
Most modern web browsers use a "sandbox" to help protect against online attacks. This is similar to a virtual environment that websites and their associated code run in. These sandboxes are supposed to ensure that untrusted code can't get out and access system resources, but combining these two bugs allows for just that. Once code has broken out of the sandbox, it can access sensitive parts of the operating system and users' files.
Google patched this vulnerability last Friday, but unlike most updates which take effect immediately, this patch requires a manual restart by the user. The Windows vulnerability has yet to be patched but Microsoft believes it only affects Windows 7 32-bit systems. In the meantime, Microsoft is recommending that all users still running Windows 7 should upgrade to Windows 10.