BBO Discussion Forums: Google Confirms Serious Chrome Security Problem - BBO Discussion Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Google Confirms Serious Chrome Security Problem Here's How To Fix It

#1 User is offline   y66 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 6,496
  • Joined: 2006-February-24

Posted 2019-March-07, 15:46

From Davey Winder Cybersecurity Contributor at Forbes:

Quote

Google Chrome's security lead and engineering director, Justin Schuh, has warned that users of the most popular web browser should update "like right this minute." Why the urgency? Simply put, there is a zero-day vulnerability for Chrome that the Google Threat Analysis Group has determined is being actively exploited in the wild. What does that all mean? Well, a vulnerability is just a bug or flaw in the code and while they all need to be fixed, not all of them either can be or are being exploited. A zero-day vulnerability is one that threat actors have managed to create an exploit for, a way of doing bad things to your device or data before the good guys even knew the vulnerability existed. In other words, they have zero days in which to issue a fix. The bad news for users of Google Chrome is that this particular zero-day vulnerability, CVE-2019-5786, is already being exploited by the bad guys. Which is why it's so important to make sure your browser has been updated to the latest patched version that fixes the vulnerability.

The problem explained

Although information regarding CVE-2019-5786 remains scarce currently, Satnam Narang, a senior research engineer at Tenable, says it is a "Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer." The 'use-after-free' vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. That's why Google has issued the urgent update warning, as the potential is there for exploits to be crafted that could enable an attacker to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser's built-in sandbox protection.

What to do next

Luckily this is an easy problem to fix, just make sure you do it as soon as you've finished reading this! First, head over to the drop-down menu in Chrome (you'll find it at the far right of the toolbar - click on the three stacked dots) and select Help|About Google Chrome. You could also type chrome://settings/help in the address bar if you prefer, which takes you to the same dialog box. This will tell you if you have the current version running or if there is an update available. To be safe from this zero-day exploit, make sure that it says you are running version 72.0.3626.121 (Official Build). If not, then Chrome should go and fetch the latest version and update your browser for you automatically.

Travis Biehn, technical strategist and research lead at Synopsys, said "Google Chrome is some of the most robustly engineered C and C++ code on the planet, the security teams working on Chrome are world-class. Despite Google's security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and C++. Luckily for the public, Chrome ships with an effective mechanism for update and patching - one that can get a critical fix out to end users in real time."

If you lose all hope, you can always find it again -- Richard Ford in The Sportswriter
2

#2 User is offline   barmar 

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 21,398
  • Joined: 2004-August-21
  • Gender:Male

Posted 2019-March-07, 16:07

My Chrome automatically updated to this version several days ago.

#3 User is offline   y66 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 6,496
  • Joined: 2006-February-24

Posted 2019-March-07, 19:35

According to Google, Chrome auto updates when you close and reopen your computer's browser. Good reason to shut down and restart at the end of the day which I am not in the habit of doing. Will rethink that.
If you lose all hope, you can always find it again -- Richard Ford in The Sportswriter
0

#4 User is offline   kenberg 

  • PipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 11,052
  • Joined: 2004-September-22
  • Location:Northern Maryland

Posted 2019-March-08, 07:35

Thanks. Yes, my Chrome is running in the newest version, but I still appreciate hearing about such things. And now I will check Becky's.
I often but not always shut down the computer at bedtime and restart the next day. I figure it needs it's sleep the same as I do. I can't say that I am entirely happy that everyday features of our lives are so dependent on other people, but I think that the Chrome folks actually know what they are doing.

Ken
1

#5 User is offline   barmar 

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 21,398
  • Joined: 2004-August-21
  • Gender:Male

Posted 2019-March-08, 09:18

View Posty66, on 2019-March-07, 19:35, said:

According to Google, Chrome auto updates when you close and reopen your computer's browser. Good reason to shut down and restart at the end of the day which I am not in the habit of doing. Will rethink that.

I'm on a Mac, so closing the browser window doesn't exit the application. But it displays a green arrow icon in the corner when there's an update ready; clicking on the icon restarts to load it.

#6 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2019-March-08, 10:53

In linux you often need manual action to do updates, but in Arch the latest version of chromium is fine (72.0.3626.121 (Official Build))
0

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users