Google has announced that an update released to Chrome stable channel - version 72.0.3626.121 - last week was in fact a patch for a zero-day flaw that is being exploited in the wild. The company's original changelog was intentionally missing any information about the vulnerability as the company was waiting for the users to apply the update. In a revised announcement on Tuesday, the company noted that the Chrome 72.0.3626.121 update included a fix for a high-priority vulnerability CVE-2019-5786 that was reported by Clement Lecigne of Google's Threat Analysis Group in February-end.
“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” Abdul Syed from Google Chrome team wrote in a blog post. “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
According to a threat advisory, CVE-2019-5786 vulnerability exist due to a use-after-free condition in Google Chrome's FileReader, which is an API that allows the web apps to access the files stored on your computer. Basically, the vulnerability is said to let malicious code escape Chrome's security sandbox, allowing an attacker to run malicious code on the victim's machine. Depending on the privileges given to Chrome, the attacker could install programs; view, change, or delete data; or create new accounts.
It is recommended that all users immediately update the Chrome Web browser on their computer and make sure that they run Chrome without admin rights.
The risk assessment of the vulnerability is said to be high for the government institutions and businesses, whereas the risk of an attacker exploiting the vulnerability is low for the home users.