Google wants you to update Chrome right now (ZERO-DAY Exploit in Chrome Browser)

TechSpot ^ | Mar 7, 2019 | Dean Pennington

[dayglored]

Bottom line: Google is urging Chrome users to update their browsers immediately after a zero-day exploit that could give hackers direct access to a user's OS has been found. The most recent version is 72.0.3626.121, and it's the version you want to be running to make sure you're safe from this exploit.

Google is urging users to update Chrome across all platforms after a critical vulnerability was discovered and patched.

The vulnerability exploits a security flaw known as CVE-2019-5786. The security flaw is a memory management issue in Chrome's FileReader which gives hackers the opportunity to inject and execute malicious code.

FileReader is a embedded program in most browsers that allows web apps to read the contents of a user's local file system. The vulnerability identified by Google allows malicious code to leave Chrome's security environment and run commands on the underlying OS.

Well-known Chrome security researcher Justin Schuh concisely addressed the urgency of this update on Twitter:

Also, seriously, update your Chrome installs... like right this minute. #PSA

— Justin Schuh (@justinschuh) March 6, 2019

Google is calling this a "zero-day" vulnerability, meaning that the bad guys figured out how to exploit it before the good guys were able to find and patch it.

The version of Chrome you should be running is 72.0.3626.121, released at the beginning of March 2019. To check your version number, type chrome://settings/help into the address bar. From there, you will be able to see your version number. Just going to that page will trigger an update check, and Chrome will prompt you to relaunch it when finished. You can also manually download the latest version of Chrome here.

Stay safe out there.

[oh8eleven]

Run these two (free) programs ... Malwarebytes and Malwarebytes AdwCleaner.

[semaj]

No thanks.

[Maris Crane]

My bank is telling me I cannot perform a particular transaction in my accounts unless I use CHROME.

AND I AM FURIOUS.

[Cold Heart]

I have used Malwarebytes for years. I just deleted it two days ago because the recent upgrade really slowed my PC down.

[oh8eleven]

I've used Malwarebytes for years too. There is a free version - you install the Premium version and it automatically turns into the free version in 7(?) days.
I run mine daily, when I'm off doing other things.

[Bigg Red]

Cletus, help! Technodope old lady here. Please tell me what to do. TIA

[plain talk]

Thanks for posting. I am uptodate.

[Cletus.D.Yokel]

If you have a phone, it’s too late. MZ has everything he needs regarding your “LifeLog”.

Update Chrome or to reduce the intrusion, go to a Mozilla platform browser FireFox, PaleMoon). Just remember, everyone has a BACKCHANNEL into your life.

[dfwgator]

I’ve started to do all my browsing in a Virtual Machine instance running in VirtualBox, that has nothing else on it.

[DainBramage]

I see what you did there.

[Swordmaker]

if you choose to use the Google Chrome spy browser on your Mac or iOS device, Google is recommending you update it immediately as they’ve found a ZERO DAY vulnerability that should be patched with an update NOW!—PING!

Google Chrome
Cross Platform ZERO DAY Alert Ping!

If you want on or off the Mac Ping List, Freepmail me.

[JDoutrider]

Thanx...

[Cletus.D.Yokel]

Red
Blue

Green?

[Still Thinking]

I upgraded Chrome years ago (by having Firefox, Opera, and Brave instead).

[generally]

LOL.

Agree!

I expect they already have that info, but I’m certainly not going to hand it to them on a silver platter.

[cymbeline]

“The vulnerability identified by Google allows malicious code to leave Chrome’s security environment and run commands on the underlying OS.”

It’s sad that the OS itself isn’t protected from malicious actions by applications.

[Revel]

Anyone using goggle Crome already has a Zero-day exploit installed by default.

[CedarDave]

I uninstalled it and have no plans to reinstall it in the near future.

[BradyLS]

Hurry to download the latest buggy browser update before it’s too late! Hurry, hurry, hurry!

[dayglored]

TECHNICAL DETAILS ALERT

The following excerpt from the Register article I linked above in comment #5 is HIGHLY TECHNICAL and only of interest to our resident techies: software programmers and sysadmins.

The bug, discovered by Googler Clement Lecigne, lies in the FileReader API portion of Chrome, and is a use-after-free() programming blunder. This means the browser can be tricked into marking a block of heap memory as no longer needed, and then uses it again anyway as if it hadn't freed the space.

In between a thread releasing the memory and reusing it, that memory space could by assigned to another part of the browser and altered, for example, while rendering a webpage. When a thread incorrectly reuses that memory space, the data will have been overwritten and significantly changed, leading to confusion and ultimately, potentially, remote code execution.

One way to achieve this would be to craft a webpage that, when loaded, causes a Chrome thread to free memory holding a block of function pointers, then render some HTML or fire up some JavaScript that causes the block to be reallocated, and those pointers overwritten with data contained in the page. Then you wait for the browser to access what it thinks are still valid pointers from the memory block, and jump to them. In reality, it will start running arbitrary code supplied by the attacker's webpage.

Exact details of the flaw are being withheld until enough people are patched. The bug fix was emitted at the start of March, and word of exploitation in the wild emerged this week.

If the above reads like total gibberish to you, please don't fret, just ignore it. :-)