Chrome browser vulnerable to zero-day attacks, says Google

Google has revealed that the latest update for its Chrome browser, rolled out last week, was a fix for a zero-day that was already being exploited by attackers.

“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” the company said in a statement on Tuesday, following an advisory notice last Friday.

However, a tweet from Chrome security engineer Justin Shuh urged users to “[Like], seriously, update your Chrome installs… like right this minute”.

Also, seriously, update your Chrome installs… like right this minute. #PSA

— Justin Schuh 🗑 (@justinschuh) March 6, 2019

The vulnerability affects users of the browser in Windows, Mac, and Linux, and was reported on February 27 by Google Threat Analysis Group, and consists of a “user-after-free” memory corruption bug in the browser’s FileReader API, which enables web apps to read locally stored files.

According to Center for Internet Security (CIS), attackers can exploit the vulnerability to ultimately be able to remotely execute arbitrary code on a targeted system.

“Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” read the CIS statement.

As a result, users of Chrome are urgently advised to update to Chrome version 72.0.3626.121. The easiest way to do this is to type in chrome://settings/help into a browser’s address bar— if your browser if out of date, follow the prompts.

“Google Chrome is some of the most robustly engineered C and Cpp code on the planet, the security teams working on Chrome are world-class,” commented Travis Biehn, Technical Strategist – Research Lead at Synopsys.

“Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and Cpp,” he added.

“Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”

Biehn added that Mozilla, the creator the Firefox browser, are exploring porting parts of its codebase to Rust, a language that doesn’t suffer from memory corruption attacks.

“[…] the availability of a highly performant and safe systems language like Rust is a game changer for software security – and we’re excited to see more organizations looking at replacing the use of less safe low-level languages with new languages like Rust,” Biehn said.