Patch immediately: Chrome zero-day flaw is being attacked now

Credit: ID 122027716 © Raffaele1 |

Google's head of Chrome security has warned all Chrome users to update the browser immediately to patch to a zero day flaw that was being exploited now. 

Google issued a warning about the attacks yesterday in an update to a post about a Chrome update released on March 1 that contained one security fix.   

Enterprise admins and Chrome desktop users on the stable channel should check to see that they have updated to Chrome 72.0.3626.121 for Windows, Mac, and Linux. 

The update addressed a use-after-free memory corruption error in FileReader, a web interface in Chrome and other browsers that lets web apps read the contents of files stored on users’ computers. The class of memory corruption bug can be dangerous and is commonly found by researchers who look for flaws in browsers.

Google's updated post revealed that the bug, CVE-2019-5786, was reported by a member of Google's Threat Analysis Group and that an exploit for it was already being used by attackers. 

The Google threat researcher reported the issue on February 27, two days before the original advisory and almost a week after Google revealed the extra details.  

“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” Google notes in the updated Chrome releases blog

Shortly after Google updated the post, Chrome’s head of security warned organizations and users to update Chrome installations “like right this minute”, noting the company last week dealt with a zero-day "chain", referring to an exploit that uses more than one vulnerability to compromise a computer.  

There are no details about whether CVE-2019-5786 is being used in targeted or widespread attacks, though the bug is most likely being used by an advanced persistent threat (APT) group. 

Read more: Microsoft: phishing email to Office 365 accounts doubled over 2018

Chaouki Bekrar, CEO of exploit broker Zerodium, noted the bug was reportedly a remote code execution flaw that allowed malicious code to escape the Chrome sandbox, which would allow an attacker to compromise the operating system. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Googlechromezero dayexploitZerodium

More about APTEnterpriseGoogleLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts