Google Chrome Vulnerability Discovered
A new Google Chrome web browser vulnerability has been spotted and users have been advised to update their browser to the latest released version.
Security researcher Clement Lecigne of Google’s Threat Analysis Group made it known in a blog post where he tagged the flaw as a high severity vulnerability and assigned it as CVE-2019-5786.
He revealed that the vulnerability on the browser affected all the major operating systems including Windows, MacOS, and Linux and could allow cyber-criminals to execute arbitrary code to gain full control over the system.
Although the technical details of the vulnerability were not disclosed, Lecigne noted that it was a use-after-free vulnerability located in the FileReader element of Google Chrome, which can result in remote code execution hacks.
He noted that access to the bug’s technical details and links will remain restricted until a significant number of Chrome users had updated their browsers and patched the flaw.
FileReader in Chrome is an application programming interface (API) that has been specifically designed to permit web applications to read the contents of raw data buffers or files on the user’s computer, using File and Blob to specify the data to be read.
The use-after-free vulnerability in FileReader is a corruption bug that modifies and corrupts data in memory, enabling a hacker to gain higher privileges on the affected computer.
The vulnerability also allows unprivileged users to gain privileges on the Chrome web browser, which allows them to bypass sandbox protection and execute the remote arbitrary codes on the system.
For the vulnerability to occur on a targeted system, an attacker only needs to trick unsuspecting users into opening, or redirecting to a malware-infested crafted webpage.
Google has, in turn, released a stable Chrome 72.0.3626.121 update available for all the affected operating systems. Chrome users have been advised to update their browsers immediately or risk being affected by the flaw that is still being exploited in the wild to target its users.
