After releasing an update for version 72.0.3626.121 of the Chrome stable channel, Google has announced it was actually a patch for a zero-day flaw CVE-2019-5786. When the initial release was made public, Google did not announce the vulnerability because they wanted users to download the update first. A use-after-free condition within Chromes FileReader is where the vulnerability lies. Essentially, the flaw allows for malicious code to escape Chrome’s security system and infect the target machine. If this is exploited correctly, attackers can view, change, and delete data, install new programs, and create fake accounts. Government institutions and businesses are said to have a high-risk assessment, while at home users have a lower risk of being exploited.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased