No piece of software is perfect, and sometimes vulnerabilities can go undiscovered for a long time. For instance, a WinRAR flaw was out in the open for almost two decades. Google’s latest Chrome bug isn’t that old, but it’s much more dangerous. Google has issued a patch for the vulnerability, but this is a “zero-day” flaw, meaning there are already online troublemakers using the vulnerability to attack Chrome. If you haven’t let Chrome update recently, take the time to do it now.
Google says this vulnerability is so severe that it’s withholding details until most Chrome installs have been patches to the latest version, which is v72.0.3626.121 in the stable channels. There should be corresponding updates in the beta and dev channels as well. Google’s blog post on the vulnerability calls it “CVE-2019-5786: Use-after-free in FileReader.”
All we know right now is that the attack involves the Chrome FileReader API. That’s the component that allows the browser to access local files on a machine. The “Use-after-free” bit refers to a class of vulnerabilities that could allow an attacker to execute malicious code on a machine. Since this was a zero-day, Google didn’t know anything about it. Thus, all Chrome installations were vulnerable.
Also, seriously, update your Chrome installs… like right this minute. #PSA
— Justin Schuh 🗑 (@justinschuh) March 6, 2019
We also do not know the scale of the attacks on Chrome, but Google was concerned enough to withhold most of the details. Browsers contain so much of our digital lives now that any vulnerability is potentially disastrous. Luckily, it’s very rare that nefarious online individuals will spot a serious vulnerability before Google or outside security researchers. We should know more about the flaw once most Chrome users are running a patched build.
It was Google’s own Threat Analysis Group that spotted the flaw in Chrome on Feb. 27. The patch started rolling out shortly thereafter. Chrome gets frequent updates, and depending on your usage pattern, it may already be installed. The browser automatically updates when you restart it. However, some people leave Chrome instances running for weeks at a time without giving it a chance to update. Now is the time to give Chrome a breather if you haven’t.
You can find out what version of Chrome you’re running by going to Settings > Menu > About Chrome. If it’s not updated, you can initiate a manual download.
Lawmakers Urge AT&T to Cut Ties with Huawei, Citing National Security Concerns
It's been several years since the last dust-up, but US lawmakers and regulators are still sounding the alarm about any cooperation with Huawei.
MIPS Returns to Silicon Valley, Eyes Burgeoning AI Market
The custom CPU manufacturer MIPS has returned to its roots in Silicon Valley, and it's already plotting its comeback. Can the small CPU firm still find a place at the AI table?
Today’s Surprisingly Excellent Net Neutrality Explainer Is Brought to You by Burger King
Burger King — yes, Burger King — made a pretty darn good video to explain what net neutrality is, why it's important, and why the FCC killing it last month represents a loss for Americans.