Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates

Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates

No piece of software is perfect, and sometimes vulnerabilities can go undiscovered for a long time. For instance, a WinRAR flaw was out in the open for almost two decades. Google’s latest Chrome bug isn’t that old, but it’s much more dangerous. Google has issued a patch for the vulnerability, but this is a “zero-day” flaw, meaning there are already online troublemakers using the vulnerability to attack Chrome. If you haven’t let Chrome update recently, take the time to do it now.

Google says this vulnerability is so severe that it’s withholding details until most Chrome installs have been patches to the latest version, which is v72.0.3626.121 in the stable channels. There should be corresponding updates in the beta and dev channels as well. Google’s blog post on the vulnerability calls it “CVE-2019-5786: Use-after-free in FileReader.”

All we know right now is that the attack involves the Chrome FileReader API. That’s the component that allows the browser to access local files on a machine. The “Use-after-free” bit refers to a class of vulnerabilities that could allow an attacker to execute malicious code on a machine. Since this was a zero-day, Google didn’t know anything about it. Thus, all Chrome installations were vulnerable.

Also, seriously, update your Chrome installs… like right this minute. #PSA

— Justin Schuh 🗑 (@justinschuh) March 6, 2019

We also do not know the scale of the attacks on Chrome, but Google was concerned enough to withhold most of the details. Browsers contain so much of our digital lives now that any vulnerability is potentially disastrous. Luckily, it’s very rare that nefarious online individuals will spot a serious vulnerability before Google or outside security researchers. We should know more about the flaw once most Chrome users are running a patched build.

It was Google’s own Threat Analysis Group that spotted the flaw in Chrome on Feb. 27. The patch started rolling out shortly thereafter. Chrome gets frequent updates, and depending on your usage pattern, it may already be installed. The browser automatically updates when you restart it. However, some people leave Chrome instances running for weeks at a time without giving it a chance to update. Now is the time to give Chrome a breather if you haven’t.

You can find out what version of Chrome you’re running by going to Settings > Menu > About Chrome. If it’s not updated, you can initiate a manual download.

Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

Apple Urges Immediate iPhone Update to Block Active Online Hacks
Apple Urges Immediate iPhone Update to Block Active Online Hacks

There's a new version of Apple's iOS software for iPhone and iPad devices, and as usual, Apple is going to start pestering users to update. This time, the nagging for iOS 14.4 comes with a little more urgency.

Samsung Promises to Update Its Android Phones Even Longer Than Google
Samsung Promises to Update Its Android Phones Even Longer Than Google

Smartphone updates have been a mess for as long as the modern smartphone has existed, but Samsung just took a big step in the right direction: The company has decided to extend security update support to a full four years.