If you’re using the Chrome browser, you should immediately update to version 72.0.3626.121 or later. The reason for this urgency is that Google’s Threat Analysis Group has discovered a high-severity vulnerability that allows a remote attacker to take full control of the targeted system through Chrome, via arbitrary code execution. The particular vulnerability (CVE-2019-5786: Use-after-free in FileReader), affects all Chrome versions previous to the one mentioned above, and all three major operating systems (Windows, macOS, Linux). Marked as “RESERVED” right now, so no technical details have been disclosed yet, as people should be allowed some time to update to the latest and safest version.
Unfortunately, Google’s security engineers have admitted that exploitation of the particular vulnerability has already been observed in the wild, as this was reported to them by multiple independent security researchers. As the official announcement notes: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
FileReader is one of Chrome’s API components that links web applications with the computer’s memory, allowing them to read data there. As it seems, some form of a memory corruption bug enables web applications to (custom crafted) to write data to the memory as well, resulting in a scary escalation of privileges by a remote attacker. Chrome is only serving as the vehicle for the hacker to launch an attack against the system, and the whole process could be as simple as opening a malicious website. As no actual details have been released yet, the above is just a rough guess of how the exploitation could generally be working.
Right now, the important part is to update to the latest version and do so immediately. Using the latest versions of your “daily drive” applications is crucial in staying safe against all kinds of threats. Zero-day vulnerabilities like the above are the scariest of them all, and the fact that attackers have been exploiting it for a currently unknown period of time proves that there’s always the chance of something serious going unnoticed by software vendors for a long time.
What is your browser of choice and why? Share your preference in the comments section below, and help us spread the word and protect more people out there by sharing this post through our socials, on Facebook and Twitter.