Sophos Cloud Optix
Chrome users, make sure you’ve got the very latest version.
Or, as Justin Schuh, one of Chrome’s well-known security researchers, put it:
[L]ike, seriously, update your Chrome installs… like right this minute.
We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be honest – but we have Chrome installed at the moment and can tell you that the version you want is 72.0.3626.121, released at the start of March 2019.
To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help.
This will not only show the current version but also do an update check at the same time, just in case any recent auto-updates have failed or your computer hasn’t called home yet.
The reason that even the Chrome team are wading in with you’d-better-update warnings is the recent appearance of a zero-day security vulnerability, dubbed CVE-2019-5786, for which Google says it is “aware of of reports that an exploit […] exists in the wild.”
To clarify.
A vulnerability, or vuln for short, is a bug that makes software go wrong in a way that reduces computer security.
An exploit is a way of deliberately triggering a vulnerability to sneak past a security control.
Exploitable or not?
To be clear, all vulnerabilities represent a risk, by definition, even if the worst you can do with the bug is to crash a program or produce a sea of unexpected error messages.
But in the same sort of way that all thumbs are fingers, while not all fingers are thumbs…
..,all exploits arise from vulnerabilities, while not all vulnerabilities can be turned into exploits.
Nevertheless, some vulnerabilities, when analysed, examined, probed and attacked with sufficient ingenuity, can be tricked into doing much more than just provoking an unwanted error or bombing out an app.
For example, attackers may be able to make a program crash in a cunning way that leaves the software alive but with the attackers in direct control of its execution, rather than killing off the program entirely and leaving the attackers staring at an apologetic operating system error message.
You can see why this sort of attack, relying as it does on a specific and treacherous abuse of a vulnerability, ended up with the nickname exploit.
And a zero-day, very loosely speaking, is a vulnerability that the Bad Guys figured out how to exploit before the Good Guys were able to find and patch it themselves.
In other words, a zero-day, often written 0-day for short, is an attack against which even the best- informed sysadmins had zero days during which they could have patched proactively.
The name zero-day is a little curious, given that most 0-days are only noticed several days – or perhaps even weeks or months – after the crooks started using them. Obviously, the longer the crooks can keep an 0-day away from security researchers, the longer it can be abused. The term comes from the old days of piracy and game cracking, where hackers rushed for the bragging rights to be the first to produce cracked versions. The ultimate crack was known as a zero-day – one that came out on the very same day as the legitimate product, meaning that the pirates had zero days to wait before they could leech the game for free.
Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment – as Google says:
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader.
That’s a programming tool that makes it easy for web developers to pop up menus and dialogs asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail.
When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren’t supposed to.
Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.
RCE almost always means a crooks can implant malware without any warnings, dialogs or popups.
Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.
What to do?
There doesn’t seem to be a workaround, but if you make sure you’re up to date, you don’t need one because the bug will be squashed.
Without a vulnerability to exploit, the exploit – rather obviously – isn’t and can’t, so patching is the ultimate fix for this one.
LISTEN NOW: LEARN MORE ABOUT VULNERABILITIES
(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)
Does anyone know if this vulnerability affects Linux and Mac as well? I see the latest release is on all platforms; but I no mention of the vuln aside Windows.
I’ll get everyone updated–just hoping to help prioritize…
If I were to guess I’d guess that the buggy code applies everwhere (use-after-free, I think) but I’d be surprised if a working, wild exploit had been figured out for every platform. The official notes we link to above have Google saying they’re aware of an in-the-wild exploit but no more detail than that. Not that I could see last I looked [2019-03-06T17:00Z].
Yes. The vulnerability is in the browser’s code itself. If you have the stable channel for Chrome added into Linux, then you just have to run ‘sudo dnf update.’
I would also like to know that and I would suspect “yes” would be the answer. I usually use Firejail with any Linux web based application to limit what it has access to. Does anyone know whether this also affects Opera and Chromium?
The release notes (see link in article and follow your nose from there) lead to a Chromium report, so it’s code in the core browser that has the bug.
Whether any exploits are floating around that actually work on Chromium builds, or other Chromium derivatives, I don’t know.
I’d be slightly surprised if there were an Android version of the exploit, assuming the Android version even supports FileReader at all (the concept of “local files” is pretty different on Android due to app sandboxing snd separation).
I’d have thought that if you wanted to infect a heap of Androids there would be much easier ways to get in – ones that wouldn’t require burning a zero-day.
Thanks so very much. URL is not functioning.
Which URL do you mean?
If you’re referring to the Chrome one – it isn’t meant to be clickable because it’s a browser-specific URL so it wouldn’t work for everyone.
It’s there for documentation – if you have Chrome and want to use it you will need to retype it or copy-and-paste it.
HtH.
Does this also effect Android users as well on their cell phone or is this mainly a desktop/laptop issue?
From my understanding, this effects desktop as well as mobile (android and chrome OS are included). However, the good news is…android and chrome OS are good to go as long as they get patched.
• Android users need to patch to: v72.0.3626.121
• Chrome OS users need to patch to: v72.0.3626.122
Look at this blatant illuminati reference! Wow Google, you too?!
Somebody else got it, too
Thank you for info.
Just quit and restart Chrome. No need to fight with an link you can’t click.
The link was listed so you know what it is for next time. It’s not clickable in the article because it isn’t a URL in the general sense – it only works for Chrome users.
Say what you will about Chrome, but Firefox isn’t without its share of issues. Biggest one for me is rendering unicode domains. (Open [readcted test site] in both Firefox and Chrome and observe the difference in the URL bar.)
Fair point – but I wasn’t suggesting Firefox is somehow perfect or immune to bugs, just that there are viable and excellent browsers beyond Chrome.
The International Domain Name (IDN) issue you mention is covered in careful detail here:
https://nakedsecurity.sophos.com/phishing-with-punycode-when-foreign-letters-spell-english-words
To be fair, the Chrome bug is a remotely exploitable 0-day while the Firefox issue you mention isn’t. However, we agree that Mozilla’s insistence that IDNs should not be filtered because that smacks of political incorrectness is a step too far.
FWIW, setting
network.IDN_show_punycode=truein the Firefoxabout:configscreen is a good solution if you mostly use sites with traditional domain names. (Details at the above link.)I am not getting updates for my phone
Please learn the meaning of the word “ironically”
The security hole is in a product component called FileReader, which is dedicated to letting your browser read local files. But the bug is not in the code that reads local files. It potentially lets you do anything at all. I am satisfied that is at least a small irony.
I don’t think an article like this should have commentary about Chrome. This doesn’t add to the topic at all:
“We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be honest.”
I would have shared this article with our customers – many of whom use Chrome for a variety of good reasons – if it was not for this totally unrelated comment.
Thanks.
It’s vaguely related because I’ve mentioned many times before that I’m a Firefox user. So it’s worth saying that although my own preference is for Firefox I nevertheless do have Chrome, have checked the update situation myself, and am not just repeating what someone else said.
That’s all. About twice as many people use Chrome as a desktop browser than Firefox. I don’t think they need to feel threatened because I don’t :-)
Understood, but we have recommended Chrome to our customers for performance and other reasons, and if I shared this article with them, they might question our judgment.
Or this article might be just the thing to set their minds at rest – even a bloke who doesn’t himself use Chrome is saying, “Despite reports of a gaping zero-day hole in Chrome you needn’t panic. Just check you’re patched and carry on, and here’s how to check.”
After all, your customers are going to hear about the 0-day hole somewhere, so skirting the news and hoping they won’t notice isn’t going to work…
Just out of interest, can you give us some context and detail around why you’re not a big fan of Chrome?
As mentioned in the article, I just prefer Firefox slighly for both form and function.
I’ve always preferred the visuals of Firefox – the configuration pages, how the tabs look, the fact that for a long time Chrome wasn’t quite a native app on the Mac. For example, I like my desktop set so that the Mac “traffic light” buttons are all grey, but for ages Chrome wouldn’t honour that, painting its own red-yellow-green buttons instead, and in that period I formed my likes and dislikes.
Tiny things – but, all other things being equal, why take something you enjoy less just because everyone else is?
And on the functionality front, I’ve always liked the ease with which Firefox lets me do cookie control, so I can easily verify that exiting the program will autoflush my local web storage and cookies.
There are a few other factors in my broader world, too. I tend to use Google (or else DDG) for search; I therefore figured I’d try Microsoft for my personal email, just to spread the PII love a bit, and found Outlook.com so much more to my taste in usability than Gmail that I’ve never considered switching. These days I’ve got Apple for my phone OS…
…so I figured, why not stick to Firefox for my laptop browsing, and spread my privacy eggs across multiple baskets? (I know there is an argument that it’s better to pick one basket and stick to it, but in this case I thought that divide-and-conquer would work out better in the end.)
To be clear, if ever I form the opinion that the software safety of Firefox is lower than that of Chrome by a statistically significant amount, I am ready to switch in a moment. I’m not married to Firefox. Just going fairly steady at the moment, though I’m free to hang out with other browsers when it’s expedient.
Chuckling over the “jealous mate” metaphor.
I’ve had a similar experience to yours, albeit in different ways. I didn’t care for Chrome at first, but begrudgingly switched during Firefox’s chronic memory-gobbling days. I’ve always been a tab hoarder, and for a while Firefox could not efficaciously (or even marginally) handle more than twenty or so. In fairness this was also before I began policing JavaScript.
Now I’m used to Chrome and have stuck by it through several annoyances, teetering at the passwd auto generation and finally giving up the ghost after the auto-login debacle. I now use Chromium, with Firefox on the side.
Switching to Chromium doesn’t likely give me as much separation as I’d like, but it still makes me feel better (security theater, anyone?) affording me a familiar interface in the process. I’ve wished on numerous occasions I could just get past the quirks of Opera.
True enough. To be clear – we did issue an alert to our many customers, alerting them to take the Chrome update ASAP. I included links to several articles and the google page.
My point was that in an article about a chrome vulnerability, saying “we’re not big Chrome fans”:
1. Does nothing for the article – this is a security discussion
2. Undermines the credibility of your article in some circles
3. Brings up a totally unrelated and controversial point about which browser to use without actually providing any factual evidence for or against a browser.
I personally prefer Safari for many things, and I would explain to others that it is because I honestly think Apple respects my privacy. Also it integrates nicely with my Mac devices. However, I use Chrome for work – it performs best – and Firefox for security testing because it works well as a proxy.
It always becomes a bit of a holy war when it comes down to operating systems and browsers, and I honestly don’t get it. There are things I prefer about each OS and browser I use. I can see the good points in each, and I’m unwilling to trash any of them unless there is a good reason for doing so. When Chrome first came out, it was full of holes, for example – at that time it was good to avoid it and to tell others to do the same.
Thanks for listening.
Well, I’m not a big Chrome fan, but even so, I have it installed and I have updated it.
Naked Security articles have personality. I like that.
If you want your more staid, facts-only type of security bulletin to share with people who may be a bit triggered by the fact that somebody might not have as their first preference the browser they are using, you can share this: [URL redacted]
Thanks – we appreciate your kind words!
We generally describe this website (plus our videos and podcasts) as being all about news, opinion, advice and research – and although my opinion in this case isn’t particularly important, I think it has at least *some* relevance. My aim was to suggest that browser choice isn’t always about security, or what everyone else says, or what IT has decided – I use Firefox for the very simple reason that I like it, and – in the absence of any compelling reason or danger saying “don’t run Firefox” – that’s OK. But even though I am not a big Chrome fan, I do have it installed for some Chrome-only services I use, and although it’s my second-choice browser, that doesn’t mean I can take a second-rate attitude to patching it.
…and I’ve learned that URLs here are redacted (I guess I understand why) so I won’t try that again 😉
It is fair to comment on the value of an alternative browser when the majority are using Chrome and are susceptible to this particular fault. People need to be aware of their options. It amazes me how far Chrome has penetrated the market and how few users are aware of privacy concerns.
Note that you can also upgrade Google Chrome by going to he 3 vertical dots menu, Help -> About Google Chrome.
I reckon that’s a little less scary for inexperienced users than typing in an arcane URL into the address bar…
We all know we should Update Apps. I Don’t believe that if we don’t update we will be hacked or have a bug. Anyone now can hack you even with a Password. Usually if I’m late on Updating a App the App will not let me play or get on with out updating first. Did we run out of Ideas to throw at people or news lately. Lol
You should probably read the section where we explain the words vulnerability (a bug that can cause security problems), exploit (a trick that uses a vulnerability to cause security problems), zero-day (an exploit that the crooks have already been using to hack people before a patch came out) and remote code execution (an exploit where the crooks can infect your computer without you even realising).
Simply put: this is a bug that crooks *can* use to hack you. It is a bug that some crooks *have* been using to hack some people.
Google patched Chrome to neutralise the threat. So why not make sure you have the patch, when even Google is urging you to?
This is why you don’t run TV ads stating you’re completely immune to viruses.
Illuminati much?
how i can disable “File Reader API” in Chrome Browser on Windows workstation? (Registry, GPO, Command..)
Thanks
I’m getting tired of this worn out hearsay and rumors culture in cybersecurity and infosec.
1. Yeah, it used to be good thing, then things scaled up and profit became important
2. “reports of it being used in the wild” should be substantiated by those reports, not a mention
3. Not one source actually bothers to document what these reports are about and where they came from
4. Trust is a fickle thing, it can also turn into blind obedience and a false sense of authority.
Well, here’s the thing – Google, despite the “publish and be damned” approach of Project Zero when a bug doesn’t get fixed in what it thinks is a reasonable time, apparently has a more conciliatory attitude when it comes to not exposing bug details immediately just because they have been fixed. I think the article makes it clear how and why we got a bug disclosure that isn’t yet complete.
My gut feeling is that, because Google isn’t exactly making itself look *better* by admitting this is not only a vulnerability but also a hole for which a zero-day exploit going round, it’s reasonable to believe that they’re telling the truth. And, hey, the only thing you need to do is make sure your Chrome has updated, which for many people it will have done anyway. There’s simply no need to refuse to update just because there’s no proof-of-concept exploit publicly available yet.
Google essentially had nothing to gain by saying what it did, so why not just take them at their word on this one? I can’t see any downside in ths case – it’s not like the “Momo” hoax, where sharing a falsehood makes it worse. There is a vulnerability, there is a patch, the vendor says there is a exploit, and that’s about that.
If there is a “hearsay and rumours culture” that I object to, it’s the insistence on using vague criteria to decide that threat X is an “APT” rather than just “malware”, or that there is a “30% chance that country X was behind this attack” (which is, of course, the same as a 70% chance that everything you just said was garbage), stuff like that.
In this case, Google didn’t have to say “this is in the wild”, given that the patch is out anyway, so I don’t really think that this quite fits into the “hearsay and rumours culture” category,. TBHvI’d rather that Google did wait a few days for us all to catch up before moving to full disclosure – that’s a refreshing change from “publish anyway”.
To me this is not about Google specifically. It is a growing “trend”.
Google is absolutely right to “publish anyway”
Let’s not overestimate the relevance of such findings, blue team people do have use for such information and are able to actually create a response based on said information,so it also ends up in the right hands
I come from a time there was 100% full-disclosure all the time. The pressure was on but at least things got fixed. Which has now become more a political choice than anything. Also a reason i keep endorsing open source culture, in the end it simply is more effective and does not allow for poker-face games to persist. The real need for open source to work is the model is effectuated, not just hypothetical.
In extremis, what Google has to gain by publishing is reputation and reputational damage control. Though i doubt they have to worry too much about that at this time. I do see more and more people move away from Google products and services, so, maybe true in the end. I doubt they’d suddenly start making up threats.
My point is “reports in the wild” affect everyone, this is NOT part of vulnerability disclosure this is part of threat disclosure which are very distinct topics.
Keeping threat information from the general public is imho something shady and highly questionable.
To me it is symptomatic for the sickening politicization of cybersecurity and infosec, at worst it is deep corruption knocking at the door, and it is dangerous as it only serves dubious agendas
we do not need fear mongering and generalizations, we need actionable threat intelligence
Given Chrome’s big market share its not surprising that its a big target as well. I don’t agree with Goggle’s approach to zero day stuff. Like their 90 day time frame before exposing exploits about other companies products. Yeah, protect your own stuff Google while trying to make a example out of companies who go beyond 90 days to fix a issue. Leaving the end user more exposed and at risk. How exactly does that make the internet safer? Personally, I don’t ever use anything related to Google EVER!
I do find myself wondering why Google is happy to reveal proof-of-concept code as soon as other vendors publish fixes, even if they got the fix out within the 90-day deadline. Sometimes, a few more days for everyone to download and digest the patch first would surely be handy. Perhaps this “we’re going to sit on the details for a little while” thing is the start of a more conciliatory approach for everyone?
As Mark Stockley commented above, the 90-day rule does have a lot of common sense behind it: if it “just happens”, then there can be no favouritism – and there is a firm deadline to help to convince companies not to sweep bugs under the carpet and leave them to fester.
>Personally, I don’t ever use anything related to Google EVER!
I think you severely underestimate the weight of things Google is related to.
There was an update waiting for me on my Ubuntu desktop this morning. I forgot that I had Chrome installed because I never use it. Google knows enough about me already.
Does this affect Chrome on iOS, not got an update as yet, however I don’t use Chrome but asking for those that do.
I’m not sure but I suspect it doesn’t (or at least if it does there is no exploit yet). Alternative browsers on iOS, such as Firefox and Chrome, aren’t quite as alternative as they are on other platforms, because Apple requires all iOS browsers to stick to the official Apple iOS browser engine, called WebKit. It’s possible for the iOS and desktop versions of browsers like Chrome and Firefox to share vulnerabilities, and perhaps even to share the exploitability of those vulnerabilities, but the iOS versions of those products are actually very different internally from their desktop counterparts.
You state that the “current” update is 72.0.3626.121, yet my HP Windows 10 laptop is even more current with:
Google Chrome is up to date
Version 73.0.3683.86 (Official Build) (64-bit)
Or is there a different version for different OS, Hardware, etc?
73 came out since the article was written. So it’s “72.0.3626.121 or newer”. HtH.
how did this turn into a conversation about whether chrome or firefox is better? p.s. i like safari