Serious Chrome zero-day – Google says update “right this minute”

Chrome users, make sure you’ve got the very latest version.

Or, as Justin Schuh, one of Chrome’s well-known security researchers, put it:

[L]ike, seriously, update your Chrome installs… like right this minute.

We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be honest – but we have Chrome installed at the moment and can tell you that the version you want is 72.0.3626.121, released at the start of March 2019.

To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help.

This will not only show the current version but also do an update check at the same time, just in case any recent auto-updates have failed or your computer hasn’t called home yet.

The reason that even the Chrome team are wading in with you’d-better-update warnings is the recent appearance of a zero-day security vulnerability, dubbed CVE-2019-5786, for which Google says it is “aware of of reports that an exploit […] exists in the wild.”

To clarify.

A vulnerability, or vuln for short, is a bug that makes software go wrong in a way that reduces computer security.

An exploit is a way of deliberately triggering a vulnerability to sneak past a security control.

Exploitable or not?

To be clear, all vulnerabilities represent a risk, by definition, even if the worst you can do with the bug is to crash a program or produce a sea of unexpected error messages.

But in the same sort of way that all thumbs are fingers, while not all fingers are thumbs…

..,all exploits arise from vulnerabilities, while not all vulnerabilities can be turned into exploits.

Nevertheless, some vulnerabilities, when analysed, examined, probed and attacked with sufficient ingenuity, can be tricked into doing much more than just provoking an unwanted error or bombing out an app.

For example, attackers may be able to make a program crash in a cunning way that leaves the software alive but with the attackers in direct control of its execution, rather than killing off the program entirely and leaving the attackers staring at an apologetic operating system error message.

You can see why this sort of attack, relying as it does on a specific and treacherous abuse of a vulnerability, ended up with the nickname exploit.

And a zero-day, very loosely speaking, is a vulnerability that the Bad Guys figured out how to exploit before the Good Guys were able to find and patch it themselves.

In other words, a zero-day, often written 0-day for short, is an attack against which even the best- informed sysadmins had zero days during which they could have patched proactively.

The name zero-day is a little curious, given that most 0-days are only noticed several days – or perhaps even weeks or months – after the crooks started using them. Obviously, the longer the crooks can keep an 0-day away from security researchers, the longer it can be abused. The term comes from the old days of piracy and game cracking, where hackers rushed for the bragging rights to be the first to produce cracked versions. The ultimate crack was known as a zero-day – one that came out on the very same day as the legitimate product, meaning that the pirates had zero days to wait before they could leech the game for free.

Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment – as Google says:

Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader.

That’s a programming tool that makes it easy for web developers to pop up menus and dialogs asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail.

When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren’t supposed to.

Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.

RCE almost always means a crooks can implant malware without any warnings, dialogs or popups.

Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.

What to do?

There doesn’t seem to be a workaround, but if you make sure you’re up to date, you don’t need one because the bug will be squashed.

Without a vulnerability to exploit, the exploit – rather obviously – isn’t and can’t, so patching is the ultimate fix for this one.


(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)