Google reveals Chrome zero-day vulnerability was under active attacks at the time of patch
- The vulnerability is a use-after-free vulnerability, a type of memory error that allows an app to access memory after it has been deleted from Chrome's allocated memory.
- Google Chrome users are advised to update to Google Chrome version 72.0.3626.121.
Google disclosed that the zero-day vulnerability that was patched on March 1, 2019, was under active attacks at the time of the patch. The vulnerability tracked as CVE-2019-5786 was patched in Chrome 72.0.3626.121 version.
The big picture - Google described the vulnerability as a memory management error in Google Chrome’s FileReader. FileReader is a web API that allows web apps to read the contents of files stored on the user’s system.
To be precise, the vulnerability is a use-after-free vulnerability, a type of memory error that allows an app to access memory after it has been deleted from Chrome’s allocated memory. This type of memory access operation could lead to the execution of malicious code.
Chaouki Bekrar, CEO of exploit acquisition platform Zerodium, tweeted that the vulnerability lets malicious code to bypass Chrome’s security sandbox and run commands on the operating system.
“Google discovered a Chrome RCE #0day in the wild (CVE-2019-5786). Reportedly, a full chain with a sandbox escape. In 2019, I expect epic 0days to be found in the wild: Android, iOS, Windows, Office, virtualization, and more. Stay safe and enjoy the show,” Chaouki Bekrar tweeted.
Memory management issues
According to Microsoft security engineer Matt Miller, roughly 70 percent of all vulnerabilities that Microsoft patches every year are memory management errors.
Most of the errors come from using C and C++, two ‘memory-unsafe’ programming languages, are also used for the Chromium source code, the open source project on which Google Chrome is based on.
The bottom line - Google Chrome users are advised to update to Google Chrome version 72.0.3626.121.