UPDATED 21:49 EST / MARCH 06 2019

SECURITY

Google reveals details of Chrome vulnerability that was exploited before last update

Google LLC has revealed that a patch issued to its Chrome browser March 1 addressed a zero-day exploit that was actively being exploited in the wild.

A zero-day is a vulnerability, usually unknown by a software vendor, that gives hackers a high level of access thanks to a critical flaw. For example, all Apple Mac users are currently exposed to a zero-day vulnerability first detailed March 4 that has yet to be patched.

The Chrome zero-day was patched in Chrome 72.0.3626.121 for Mac, Linux and Windows released on Friday, with Google publicly revealing some details of the exploit only today. The exploit, known as CVE-2019-5786, is said to be a use-after-free flaw in the browser’s FileReader application programming interface, an API designed to allow the browser to access and read locally stored files.

Google’s Chrome team was reserved in providing details, saying in a blog post dated March 1 but updated today that “access to bug details and links may be kept restricted until a majority of users are updated with a fix…. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

Travis Biehn, technical strategist at Synopsys Inc. told SiliconANGLE that Google Chrome is robustly engineered in its use of the C and C++ programming languages and the security teams working on Chrome are “world-class.”

“Despite Google’s security program and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and Cpp,” Biehn explained. “Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”

What Biehn is referencing is that Google Chrome is designed to update automatically, with users rarely if ever noticing. If Google Chrome users have switched off automatic updating, it’s highly recommended that they manually update Chrome as soon as possible.

“To limit the damage zero-day vulnerabilities such as the just patched Chrome FileReader use-after-free could lead to if successfully exploited, users should always keep their apps up to date, run software or log on using a limited account, and think twice before visiting websites they don’t trust or click on links from unknown sources,” Bleeping Computer noted.

Image: Maxpixel

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU