Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates

No piece of software is perfect, and sometimes vulnerabilities can go undiscovered for a long time. For instance, a WinRAR flaw was out in the open for almost two decades. Google’s latest Chrome bug isn’t that old, but it’s much more dangerous. Google has issued a patch for the vulnerability, but this is a “zero-day” flaw, meaning there are already online troublemakers using the vulnerability to attack Chrome. If you haven’t let Chrome update recently, take the time to do it now.
Google says this vulnerability is so severe that it’s withholding details until most Chrome installs have been patches to the latest version, which is v72.0.3626.121 in the stable channels. There should be corresponding updates in the beta and dev channels as well. Google’s blog post on the vulnerability calls it “CVE-2019-5786: Use-after-free in FileReader.”
All we know right now is that the attack involves the Chrome FileReader API. That’s the component that allows the browser to access local files on a machine. The “Use-after-free” bit refers to a class of vulnerabilities that could allow an attacker to execute malicious code on a machine. Since this was a zero-day, Google didn’t know anything about it. Thus, all Chrome installations were vulnerable.
Also, seriously, update your Chrome installs… like right this minute. #PSA
— Justin Schuh 🗑 (@justinschuh) March 6, 2019
We also do not know the scale of the attacks on Chrome, but Google was concerned enough to withhold most of the details. Browsers contain so much of our digital lives now that any vulnerability is potentially disastrous. Luckily, it’s very rare that nefarious online individuals will spot a serious vulnerability before Google or outside security researchers. We should know more about the flaw once most Chrome users are running a patched build.
It was Google’s own Threat Analysis Group that spotted the flaw in Chrome on Feb. 27. The patch started rolling out shortly thereafter. Chrome gets frequent updates, and depending on your usage pattern, it may already be installed. The browser automatically updates when you restart it. However, some people leave Chrome instances running for weeks at a time without giving it a chance to update. Now is the time to give Chrome a breather if you haven’t.
You can find out what version of Chrome you’re running by going to Settings > Menu > About Chrome. If it’s not updated, you can initiate a manual download.
Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

AMD Discloses a Spectre-Like Vulnerability in Zen 3 CPUs
AMD has disclosed a potential security vulnerability on its Zen 3 CPUs with similarities to the Spectre attack from several years ago, but the company believes the risk is minimal.

Intel, Researchers Debate Whether New Spectre-Type Vulnerabilities Exist
Researchers are claiming to have found a new type of Spectre attack that bypasses all existing protections, but that framing isn't well supported.

Honda Vehicle Vulnerability Allows Remote Unlocking And Starting
The researchers who discovered the exploit, known as RollingPWN, say it might affect all Honda vehicles from 2012 through the latest 2022 models. However, Honda currently denies a vulnerability exists.