No piece of software is perfect, and sometimes vulnerabilities can go undiscovered for a long time. For instance, a WinRAR flaw was out in the open for almost two decades. Google’s latest Chrome bug isn’t that old, but it’s much more dangerous. Google has issued a patch for the vulnerability, but this is a “zero-day” flaw, meaning there are already online troublemakers using the vulnerability to attack Chrome. If you haven’t let Chrome update recently, take the time to do it now.
Google says this vulnerability is so severe that it’s withholding details until most Chrome installs have been patches to the latest version, which is v72.0.3626.121 in the stable channels. There should be corresponding updates in the beta and dev channels as well. Google’s blog post on the vulnerability calls it “CVE-2019-5786: Use-after-free in FileReader.”
All we know right now is that the attack involves the Chrome FileReader API. That’s the component that allows the browser to access local files on a machine. The “Use-after-free” bit refers to a class of vulnerabilities that could allow an attacker to execute malicious code on a machine. Since this was a zero-day, Google didn’t know anything about it. Thus, all Chrome installations were vulnerable.
We also do not know the scale of the attacks on Chrome, but Google was concerned enough to withhold most of the details. Browsers contain so much of our digital lives now that any vulnerability is potentially disastrous. Luckily, it’s very rare that nefarious online individuals will spot a serious vulnerability before Google or outside security researchers. We should know more about the flaw once most Chrome users are running a patched build.
It was Google’s own Threat Analysis Group that spotted the flaw in Chrome on Feb. 27. The patch started rolling out shortly thereafter. Chrome gets frequent updates, and depending on your usage pattern, it may already be installed. The browser automatically updates when you restart it. However, some people leave Chrome instances running for weeks at a time without giving it a chance to update. Now is the time to give Chrome a breather if you haven’t.
You can find out what version of Chrome you’re running by going to Settings > Menu > About Chrome. If it’s not updated, you can initiate a manual download.
Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates - ExtremeTech
