Google closes vulnerability in Chrome browser that is being actively exploited
Google has patched a serious use-after-free vulnerability in its Chrome browser. An exploit for the zero-day vulnerability is circulating. Google recommends that users update to the latest browser version as soon as possible.
The use-after-free vulnerability resides in Chrome’s FileReader, a web API that allows sites to access files on a user’s system. Use-after-free vulnerabilities involve memory corruption bugs that can be exploited through browser attacks. With the Chrome vulnerability CVE-2019-5786, the danger is that attackers could set up a special website to access memory on a victim’s system via the FileReader API and eventually execute arbitrary code.
Google recommends that users update to Chrome version 72.0.3626.121 for Windows, Mac, Linux, and Android. Google announced those versions last Friday, stating that a single security problem had been fixed. In an update, the company clarifies that an exploit has been found in the wild and malicious parties are therefore actively targeting exploitation of the vulnerability.
Justin Schuh of the Google Chrome security team speaks of a chain of zero days that Google found, potentially making it a combined exploit, such as escaping Chrome’s sandbox, which would increase the severity of potential attacks. Schuh advises to be updated immediately.