Dangerous Google Chrome Vulnerability (zero-day) – Update Chrome

*Update*

Although Halloween has passed, Google has not failed to scare us. The search engine giant issued an urgent update announcement for Chrome across all platforms. Two security vulnerabilities were discovered, one of which has a zero-day exploit.

The vulnerability (CVE-2019-13720) exists in Google Chrome’s audio component and was discovered by security researchers, Anton Ivanov and Alexey Kulaev at Kaspersky.

On October 31, Google confirmed an update for Chrome to version 78.0.3904.87 across the Windows, Mac, and Linux platforms. According to Google, the crucial update will start rolling out ‘over the coming days/weeks.’

Google issued a statement, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on but haven’t yet fixed.”

---

TL;DR Version

A zero-day vulnerability was discovered by Google Chrome’s security team, tracked as CVE-2019-5786.

If your Google Chrome Version reads: 72.0.3626.121

Don’t worry, you’re safe. But, if it’s anything else…  you have to update your chrome version right now by going to the following URL:

      chrome://settings/help

This is the only way to squash the bug. You have to update right now and make sure to tell as many people as possible. Keep in mind that Google Chrome is one of the most used browsers in the world. The threat is real!

Secure yourself and your loved ones as soon as possible.

---

Google Chrome Users Are At Risk!

Google chrome is on our safest browsers list primarily because of Google’s fantastic response time to vulnerabilities. The most recent zero-day vulnerability was fixed in a new version release. Their response time and approach towards that was similar to how our engineers responded to the VORACLE vulnerability.

What are Zero Day (0day) Vulnerabilities?

Zero Day or 0day vulnerabilities is a term used for loopholes or vulnerabilities that are unknown to the software developers at the time of release. These are dangerous because most 0day vulnerabilities (or vulns as some call it) in the past have been very damaging- privacy concerns, financial losses, and even possible physical harm.

These can only be fixed by either uninstalling the program or updating the software in question with a new and improved version where the developers have confirmed the loophole has been fixed.

How Dangerous is this Google Chrome zero-day?

Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

According to Google, no details will be released about how damaging the current zero-day exploit is until the majority of the chrome users have updated their browsers. This approach ensures safety for consumers and partners – keeping hungry hackers, sniffers and malicious individuals at bay.

Google also went on to say…

Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild

“In the wild” pretty much implies that this vulnerability is known to a small % of technical elites and some of those might not have what’s best for the average joe at heart.

Justin Schuh who leads Google Chrome’s Security and Desktop engineering team tweeted :

Last week we got to deal with a real 0day chain and a faux 0day at the same time. I wonder which one will get more attention? 🤔 https://t.co/DfeyoB7geY

— Justin Schuh 🗑 (@justinschuh) March 6, 2019

Who you should really pay attention to

Pierluigi, an experienced and well-respected security researcher*, shows the serious nature of this vulnerability in his recent blog on Security Affair.

You must update your Google Chrome immediately to the latest version of the web browsing application.

A use-after-free flaw in the FileReader component could be exploited by unprivileged attackers to gain privileges on the Chrome web browser and to escape the sandbox to run arbitrary code.

If that went over your head, this next quote from the same article is slightly more reader-friendly.

The attack scenario sees threat actors tricking victims into opening, or redirecting them to, a specially-crafted webpage.

Google addressed the issue by rolling out a stable Chrome update 72.0.3626.121 for Windows, Mac, and Linux operating systems.

Like most security experts, Pierluigi also insists on the following.

Don’t waste time and update your Chrome web browser.

Who is affected by Google Chrome’s 0day vulnerability?

With the information available so far, Windows, Mac and Linux users would be affected by this. All 3 operating systems have received a new version update that can be installed immediately!

How to Patch the Google Chrome Vulnerability (0day)

The solution is to simply update your chrome installation – right now

Step 1. In your chrome URL bar, type in :

       chrome://settings/help

Step 2. Click update or Relaunch

This is what you might see if your update is already downloaded and all you need is a relaunch.

This is what you would see if your version has been updated successfully.

According to Google, if you have this version you are safe from the zero-day vulnerability that chrome is facing at the moment.

Spread the word

Google chrome is the most used internet browser in the world! It’s highly likely that your children, siblings, spouse, and colleagues use it at work and/or at home. Make sure they update their browsers as well.

Who is Pierluigi Paganini?

Pierluigi Paganini is an Italian cyber security professional with 20 years’ worth of experience in the field. He is an EC Council London Certified Ethical Hacker, and founder of the top security blog Security Affairs. He is also team member for Hacker News and has written for major publications such as Infosec Island, The Hacker News Magazine, Cyber War Zone, InfoSec Institute, ICTTF, as well as many other security magazines.

He is also:

• The CTO at Cybaze Enterprise SpA
• A member of the European Union Agency for Network and Information Security (ENISA) Threat Landscape Stakeholder Group
• A member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation
• A Professor and Director of the Master in Cyber Security at the Link Campus University
• The Editor-in-Chief at Cyber Defense Magazine