A new zero-day vulnerability in Google Chrome, tracked as CVE-2019-5786, is actively exploited in attacks in the wild.
A new zero-day vulnerability in Google Chrome is actively exploited in attacks in the wild. The vulnerability was discovered late February by Clement Lecigne, a security researcher at the Google Threat Analysis Group. The high severity zero-day flaw in Chrome could be exploited by a remote attacker to execute arbitrary code and take full control of the target computer.
The vulnerability tracked as CVE-2019-5786 resides in the web browsing software and impact all major operating systems including Windows, Apple macOS, and Linux.
Lecigne did not reveal technical details of the issue, Google experts only revealed that the CVE-2019-5786 flaw is a use-after-free vulnerability in the FileReader component of the Chrome browser. FileReader is a standard API that allows web applications to asynchronously read the contents of files stored on a computer, using ‘File’ or ‘Blob’ objects to specify the file or data to read.
Google confirmed that the zero-day RCE vulnerability is actively being exploited in the wild by threat actors.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” reads the security advisory published by Google. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.
You must update your Google Chrome immediately to the latest version of the web browsing application.
A use-after-free flaw in the FileReader component could be exploited by unprivileged attackers to gain privileges on the Chrome web browser and to escape the sandbox to run arbitrary code.
The attack scenario sees threat actors tricking victims into opening, or redirecting them to, a specially-crafted webpage.
Google addressed the issue by rolling out a stable Chrome update 72.0.3626.121 for Windows, Mac, and Linux operating systems.
Don’t waste time and update your Chrome web browser.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.