All Chrome users have been advised to update to the latest version of the browser – 72.0.3626.121 – as soon as possible to prevent a zero-day flaw from being exploited.
Google released the new Chrome version on March 1, 2019, which addressed a use-after-free vulnerability in the FileReader component of Chrome that is being tracked as CVE-2019-5786. FileReader is an API used by web applications to read the contents of files stored on a computer.
Google subsequently updated details of the new release which confirm that CVE-2019-5786 is now being actively exploited in the wild and, consequently, has now been rated a high severity vulnerability. If the flaw is exploited, it could allow an attacker to remotely execute code on a vulnerable device. The vulnerability affects all Chrome versions including Windows, MacOS, and Linux.
The flaw could be exploited by getting a user with a vulnerable Chrome version to visit a specially crafted web page, via a phishing email for example. The flaw would allow an attacker to use previously freed memory via the API to execute code and trigger a denial of service condition or take control of the computer. However, code could only be run in the context of the browser.
Google is pushing the update through the auto-update feature of Chrome, but users have been advised to check that they are running the latest version and update manually if the update has not been applied. While the update is being applied automatically, the user will not be protected until the browser is restarted.
Google has also publicly disclosed a previously unknown vulnerability in Microsoft Windows. The zero-day flaw, in the win32k.sys, appears to only be exploitable on Windows 7 32-bit systems and Windows Server 2008.
The Windows flaw can be used to elevate privileges and evade security sandboxes using browser vulnerability. Google has observed the Windows flaw being actively exploited on Windows 7 32-bit systems in conjunction with CVE-2019-5786. Google reported the flaw to Microsoft, which is currently working on a fix.
Google has advised all users that are still using Windows 7 to consider upgrading to Windows 10 as soon as possible.