SECURITY
SECURITY
SECURITY
Google reveals details of Chrome vulnerability that was exploited before last update
Google LLC has revealed that a patch issued to its Chrome browser March 1 addressed a zero-day exploit that was actively being exploited in the wild.
A zero-day is a vulnerability, usually unknown by a software vendor, that gives hackers a high level of access thanks to a critical flaw. For example, all Apple Mac users are currently exposed to a zero-day vulnerability first detailed March 4 that has yet to be patched.
The Chrome zero-day was patched in Chrome 72.0.3626.121 for Mac, Linux and Windows released on Friday, with Google publicly revealing some details of the exploit only today. The exploit, known as CVE-2019-5786, is said to be a use-after-free flaw in the browser’s FileReader application programming interface, an API designed to allow the browser to access and read locally stored files.
Google’s Chrome team was reserved in providing details, saying in a blog post dated March 1 but updated today that “access to bug details and links may be kept restricted until a majority of users are updated with a fix…. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Travis Biehn, technical strategist at Synopsys Inc. told SiliconANGLE that Google Chrome is robustly engineered in its use of the C and C++ programming languages and the security teams working on Chrome are “world-class.”
“Despite Google’s security program and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and Cpp,” Biehn explained. “Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”
What Biehn is referencing is that Google Chrome is designed to update automatically, with users rarely if ever noticing. If Google Chrome users have switched off automatic updating, it’s highly recommended that they manually update Chrome as soon as possible.
“To limit the damage zero-day vulnerabilities such as the just patched Chrome FileReader use-after-free could lead to if successfully exploited, users should always keep their apps up to date, run software or log on using a limited account, and think twice before visiting websites they don’t trust or click on links from unknown sources,” Bleeping Computer noted.
Image: Maxpixel
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
