Yesterday, Google announced that a patch for Chrome released last week was actually a fix for an active zero-day discovered by its security team. The bug tagged as CVE-2019-5786, was originally discovered by Clement Lecigne of Google’s Threat Analysis Group on Wednesday, February 27th and is currently under active attack.
The threat advisory states that this vulnerability involves a memory mismanagement bug in a part called ‘FileReader’ of the Chrome browser. The FileReader is a programming tool that allows web developers to pop up menus and dialogs asking a user to choose from a list of local files to upload or an attachment to be added to their webmail. The attackers can use this vulnerability to execute a Remote Code Execution or RCE.
ZDNet states that the bug is a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome’s allocated memory. If this type of memory access operation is mishandled, it can lead to the execution of malicious code.
Chaouki Bekrar, CEO of exploit vendor Zerodium, tweeted that the vulnerability allegedly allows malicious code to escape Chrome’s security sandbox and run commands on the underlying OS.
— Chaouki Bekrar (@cBekrar) March 6, 2019
Not divulging in any further information on the bug, Google says: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Further, Forbes reports that Satnam Narang, a senior research engineer at Tenable has said that it is a “Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer.” Catalin Cimpanu, a security reporter at ZDNet, suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. “The PDF documents would contact a remote domain with information on the users’ device –such as IP address, OS version, Chrome version, and the path of the PDF file on the user’s computer”, he added.
The fix for this zero-day
Users are being advised to update Chrome across all platforms.
Also, seriously, update your Chrome installs… like right this minute. #PSA
— Justin Schuh 🗑 (@justinschuh) March 6, 2019
Mac, Windows, and Linux users are advised to manually initiate the download if it is yet to be pushed to a device. Head over to chrome://settings/help to check the current version of Chrome on your system. The URL will also do an update check at the same time, just in case any recent auto-updates have failed.
Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument
Google’s new Chrome extension ‘Password CheckUp’ checks if your username or password has been exposed to a third party breach
Hacker duo hijacks thousands of Chromecasts and Google smart TVs to play PewDiePie ad, reveals bug in Google’s Chromecast devices!