New Google Chrome Zero-Day Vulnerability Detected
A new Google Chrome zero-day vulnerability, which is being actively exploited in the wild, has been detected.
Clement Lecigne, a security researcher who is part of Google’s Threat Analysis Group, has found and reported this high severity vulnerability in Google Chrome late last month. This zero-day vulnerability could reportedly allow remote attackers to execute arbitrary code and gain full control of systems and networks.
This newly detected zero-day vulnerability, which affects the web browsing software for all major operating systems, including Windows, Linux and MacOS, has been assigned as CVE-2019-5786. The Google researchers haven’t divulged any technical details pertaining to this vulnerability. It’s just stated that the issue is a use-after-free vulnerability in the FileReader component of Google Chrome and that this vulnerability leads to remote code execution attacks.
The Hacker News, in a detailed report on this Google Chrome vulnerability, explains, “FileReader is a standard API that has been designed to allow web applications to asynchronously read the contents of files (or raw data buffers) stored on a user’s computer, using ‘File’ or ‘Blob’ objects to specify the file or data to read…The use-after-free vulnerability is a class of memory corruption bug that allows corruption or modification of data in memory, enabling an unprivileged user to escalate privileges on an affected system or software.”
The report also explains how the use-after-free vulnerability in the FileReader Component of Google Chrome can be exploited; it reads, “The use-after-free vulnerability in the FileReader component could enable unprivileged attackers to gain privileges on the Chrome web browser, allowing them to escape sandbox protections and run arbitrary code on the targeted system.”
The most startling thing is that this zero-day RCE vulnerability is being actively exploited in the wild by cybercriminals who are targeting users of Google Chrome.
An attacker would begin the attack by tricking a user into the opening or redirecting the user to, a specially-crafted webpage. No further interaction would be needed, and the attack would be executed from this page. Google has rolled out a patch for this vulnerability on March 1, 2019. Users of Google Chrome should ensure that they immediately update to the latest updated version of the web browser.
In the Stable Channel Update that contains the patch for the bug, the Google Security team notes, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”