Security experts at Google have recommended that all Chrome users immediately update their browser, as the zero-day exploit labelled CVE-2019-5786 has been patched in the latest 72.0.3626.121 version.
A zero-day exploit is a security vulnerability which hackers have discovered, and figured out how to exploit, before security development is able to patch it. Hence the term “zero day” – security development literally had zero days to close the hole.
Google was initially keeping quiet about technical details of the security vulnerability, until “a majority of Chrome users are updated with the fix”. This was likely to prevent further damage.
However, Google did confirm that the security vulnerability is a use-after-free exploit in the FileReader component of the browser. FileReader is a standard API, which allows web apps to asynchronously read the contents of files stored on a computer. Google also confirmed the security vulnerability has been exploited by online threat actors.
In a nutshell, the security vulnerability allows threat actors to gain privileges in the Chrome browser, and run arbitrary code outside of the sandbox. The threat impacts all major operating systems (Windows, macOS, and Linux).
It must be a very serious exploit, because even Justin Schun, the Security and Desktop Engineering Lead for Google Chrome, spoke up on Twitter.
It is rather unusual for the security team to publicly address security holes, they typically silently patch things. Thus, Justin’s tweet implied a strong sense of urgency for all users to update Chrome asap.
Google has updated more details about the vulnerability, and in fact acknowledged it was two separate vulnerabilities being leveraged in tandem.
The first vulnerability was within Chrome itself, which relied on the FileReader exploit as we detailed above.
The second vulnerability was within Microsoft Windows itself. It was a local privilege escalation in the Windows win32k.sys, and could be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.
Google noted that they disclosed the vulnerability to Microsoft, and are publicly disclosing the vulnerability because it is “a serious vulnerability in Windows that we know was being actively exploited in targeted attacks”.
Microsoft is reportedly working on a fix, and users are recommended to upgrade to Windows 10 and apply patches from Microsoft as soon as they become available.
How to Update Google Chrome on a PC
Then choose Settings (Bars) from the top left corner and choose About Chrome.
Once in About section, Google will automatically check for updates, and if there is an update available Google will notify you.