After releasing an update for version 72.0.3626.121 of the Chrome stable channel, Google has announced it was actually a patch for a zero-day flaw CVE-2019-5786. When the initial release was made public, Google did not announce the vulnerability because they wanted users to download the update first. A use-after-free condition within Chromes FileReader is where the vulnerability lies. Essentially, the flaw allows for malicious code to escape Chrome’s security system and infect the target machine. If this is exploited correctly, attackers can view, change, and delete data, install new programs, and create fake accounts. Government institutions and businesses are said to have a high-risk assessment, while at home users have a lower risk of being exploited.
Analyst Notes
All users should update Chrome as soon as possible. Chrome should also be running without admin rights. A virus scanner can also be used to detect any unauthorized activity on user systems.
