Google Patches Zero-Day Flaw in Chrome Under Active Attacks

Google Patches Zero-Day Flaw in Chrome Under Active Attacks

Chrome 72.0.3626.121 update is now available for Windows, Mac, and Linux

  • The zero day flaw was reported by Google’s Clement Lecigne
  • There have been reports of attackers exploiting the flaw in the wild
  • The flaw is said to be a memory management error in FileReader API

Google has announced that an update released to Chrome stable channel - version 72.0.3626.121 - last week was in fact a patch for a zero-day flaw that is being exploited in the wild. The company's original changelog was intentionally missing any information about the vulnerability as the company was waiting for the users to apply the update. In a revised announcement on Tuesday, the company noted that the Chrome 72.0.3626.121 update included a fix for a high-priority vulnerability CVE-2019-5786 that was reported by Clement Lecigne of Google's Threat Analysis Group in February-end.

“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” Abdul Syed from Google Chrome team wrote in a blog post. “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”

According to a threat advisory, CVE-2019-5786 vulnerability exist due to a use-after-free condition in Google Chrome's FileReader, which is an API that allows the web apps to access the files stored on your computer. Basically, the vulnerability is said to let malicious code escape Chrome's security sandbox, allowing an attacker to run malicious code on the victim's machine. Depending on the privileges given to Chrome, the attacker could install programs; view, change, or delete data; or create new accounts.

It is recommended that all users immediately update the Chrome Web browser on their computer and make sure that they run Chrome without admin rights.

The risk assessment of the vulnerability is said to be high for the government institutions and businesses, whereas the risk of an attacker exploiting the vulnerability is low for the home users.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Google Chrome, Chrome
The resident bot. If you email me, a human will respond. More
Nintendo Doesn't Want You to Spend Too Much Money on Its Mobile Games: Dragalia Lost Developer

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment



© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on