Chrome zero-day you need to know about
Google revealed on Wednesday that a previously unknown security flaw in its Chrome browser was under attack last week.
The security bug (CVE-2019-5786) was a “use-after-free” flaw in Chrome’s FileReader, an interface that all major web browsers use to allow web apps to read the contents of files stored on user’s local computer.
Use-after-free vulnerabilities are common memory issues found in software. These errors happen when an app attempts to access a system’s memory even after it has been freed. This could cause programs to crash or cause memory corruptions that hackers can use to run malicious code.
Chrome’s recent use-after-free exploit apparently allowed hackers to slip malicious code through the browser’s security sandbox and run commands on the system’s main operating system.
Google credits the discovery of the flaw to Clement Lecigne of Google’s Threat Analysis Group. The date of the bug report was on Feb. 27.
Are you protected from this zero-day?
Thankfully, Google quietly released an update last week to patch the flaw. Since it was a patch for a zero-day, the exact reason for the security fix was not publicly disclosed until Wednesday to contain the reach of the exploit.
According to the Google’s Stable Channel Update blog, access to the bug details and links will be kept under wraps until majority of Chrome users are updated with the fix or if the flaw still exists in third party libraries.
So if you use Chrome on Windows, macOS or Linux, make sure you are in its latest version,72.0.3626.121.
Chrome normally updates itself automatically after you restart it, but since the update contains a fix for an ongoing attack, please double check.