UPDATE: There is an update to this story. Today, March 7, Google revealed that this Chrome zero-day was part of a more complex attack that also involved a Windows 7 zero-day.
Google revealed yesterday that a patch for Chrome last week was actually a fix for a zero-day that was under active attacks.
Security
The attacks exploited CVE-2019-5786, a security flaw and the only patch included in the Chrome 72.0.3626.121 version, released last Friday, March 1, 2019.
According to an update to its original announcement and a tweet from Google Chrome's security lead, the patched bug was under active attacks at the time of the patch.
Google described the security flaw as a memory management error in Google Chrome's FileReader --a web API included in all major browsers that lets web apps read the contents of files stored on the user's computer.
More specifically, the bug is a use-after-free vulnerability, a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome's allocated memory. An incorrect handling of this type of memory access operation can lead to the execution of malicious code.
According to Chaouki Bekrar, CEO of exploit vendor Zerodium, the CVE-2019-5786 vulnerability allegedly allows malicious code to escape Chrome's security sandbox and run commands on the underlying OS.
Google discovered a Chrome RCE #0day in the wild (CVE-2019-5786). Reportedly, a full chain with a sandbox escape: https://t.co/Nxfrvr5wIh
— Chaouki Bekrar (@cBekrar) March 6, 2019
In 2019, I expect epic 0days to be found in the wild: Android, iOS, Windows, Office, virtualization, and more. Stay safe and enjoy the show.
Besides revealing exploitation attempts, the browser maker also gave credit to the security researcher who discovered the bug --Clement Lecigne of Google's Threat Analysis Group.
Last month, speaking at a security conference in Israel, Microsoft security engineer Matt Miller said that roughly 70 percent of all security bugs that Microsoft patches every year are memory safety errors like the one the Chrome team patched last week.
Most of the errors come from using C and C++, two "memory-unsafe" programming languages, also used for the Chromium source code, the open source project on which Google Chrome is based on.
Google Chrome users are advised to use the browser's built-in update tool to trigger an update to 72.0.3626.121 version. Users should do this right now, especially when the advice comes from Google Chrome's security lead.
If you (or your users) are running Chrome and you're not yet on 72.0.3626.121 ... accelerate.
— Royce Williams (@TychoTithonus) March 6, 2019
The CVE-2019-5786 details aren't public yet ... but if Justin thinks you should prioritize, he's A) in a good position to know why and B) doesn't say this very often. https://t.co/QiMe7ZJCh2
All the Chromium-based browsers
More browser coverage:
- Chrome and Firefox are borrowing from each other's performance features
- A third of all Chrome extensions request access to user data on any site
- Microsoft Edge lets Facebook run Flash code behind users' backs
- Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist
- New browser attack lets hackers run bad code even after users leave a web page
- Google Chrome bug used in the wild to collect user data via PDF files
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Ad-blocking Brave gets memory advantage over Chrome on news websites CNET