Users should waste no time in updating to the browser’s latest version

Google has revealed that the update for Google Chrome, rolled out late last week, addressed a that attackers were already exploiting in the wild.

“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” the noted in an on Tuesday after initially releasing the advisory last Friday. Also on Tuesday, a tweet by leading Chrome security engineer Justin Schuh added urgency to the issue: “[Like], seriously, update your installs… like right this minute”.

The vulnerability that affects the browser in Windows, Mac, and Linux was reported by Clement Lecigne of Google’s Analysis Group on February 27.

- chrome updated - Latest Chrome update plugs a zero-day hole

The security hole is a “use-after-free” memory corruption bug in the browser’s FileReader API, a browser component intended to enable web apps to read locally stored files. That said, exploitation of the vulnerability can result in more damage than the API’s name might imply. As revealed by a note by the Center for Internet Security (CIS), attackers may ultimately be able to remotely execute arbitrary code on the targeted system:

“Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete ; or create new accounts with full user rights,” reads the note. The zero-day can be triggered when a user is lured to a specially crafted web page.

In light of all that, users are advised to update to Chrome version 72.0.3626.121 if they haven’t done so already. Arguably the easiest way to check if an update is pending is to type chrome://settings/help into the browser’s address bar and, if your browser is indeed out of date, follow the prompts.








Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here