Chrome users may want to double-check that their browser is up to date on Windows, macOS, and Linux, following a report from Google indicating that it's patching the browser to fix a zero-day exploit it says is already active and in use. The vulnerability in question applies directly to the FileReader API, used to display and read files stored on the computer, such as PDFs, in the web.
Summarily, the exploit — marked as CVE-2019-5786 — is a "use-after-free" bug that allows for memory to be corrupted or modified and opens the way for an elevated-privileges attack via the execution of malicious code. Exploitation of the bug doesn't require users to download and install anything either. Instead, a click on or redirect to an affected webpage is all that's required for the vulnerability to be used.
Android and Chrome OS are being updated with the fix as well.
Updating is easy
The security problem was discovered and reported at the end of February with initial plans to patch it in a larger update before it was discovered to be in active use, pushing the rollout to March 1. Google indicates that the majority of users are already updated but that does leave plenty of computers running on the affected platforms vulnerable. The patch brings the version number to 72.0.3626.121 for desktop users and Android users, and to version 72.0.3626.122 for Chrome OS users.
Both updating the browser to patch the exploit and checking to ensure the software is installed are relatively straightforward. Users will simply need to open the Chrome browser and click on the three-dot menu at the top-right-hand corner of the UI. If an update is available to be installed, a color-coded update icon will be present on the menu. In short, a green icon means the update was recently released and that shifts to orange and then red as time passes.
Clicking that icon will prompt the browser to start the update and the software will be completely installed after the user clicks the "Relaunch" button that should automatically appear when the update is ready.
Checking the software version is accessed in the same menu, under the "Help" option followed by a click on the "About Google Chrome" option. The version number appears just below the page heading.
For Chrome OS users, the update can be found in the Settings application. Navigating to "About Chrome OS" in the three-dash hamburger menu at the top-left-hand side of the UI — located at the bottom of that menu. A "Check for updates" button will appear near the top of the page.
Android users simply need to navigate to the Google Play Store and update their application.
The importance of keeping things updated
The seriousness of the most recent exploit discovered in desktop Chrome harkens back to a recently patched Android-specific bug, highlighting the importance of keeping software up-to-date regardless of the platform. As with CVE-2019-5786, that vulnerability allowed devices to be adversely affected without much actual interaction from the user. Specifically, it allowed the world's most popular mobile operating system to be compromised simply by getting a user to view a specially-modified PNG image file.
If that sounds familiar, it's because the issue is strikingly similar to an even earlier exploit referred to as Stagefright and exploits a near-identical type of bug. Stagefright was patched some time ago but users shouldn't allow that to lull them into a false sense of security. In that Android vulnerability, the issue stemmed from an entirely different library, showcasing how difficult it can be for even a company like Google to have complete oversight of security.