Google warns of system-controlling Chrome bug

Google is patching a serious bug in the desktop version of its Chrome browser that could let an attacker take over a computer simply by luring users to a website. A fix for the bug, which affects the desktop version of Chrome on macOS, Windows, and Linux, will be available in the coming days, the company said. The flaw doesn’t affect the iOS or Android versions of Chrome.

The bug lies in Blink, the rendering engine that underpins Chrome. A rendering engine is the part of the browser that interprets HTML and creates the visuals you see when you visit a website.

Blink is part of the open-source Chromium project on which Chrome is based. The Chromium team created Blink in 2013 as a fork of WebCore, which is a part of WebKit, the browser engine that Apple uses for its Safari browser.

An attacker could exploit this serious bug if a user visits a malicious webpage, according to an advisory issued by the Center for Internet Security (CIS) issued a day after Google’s blog post on the issue.

It warned:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Google is keeping quiet about the specifics of the bug until it’s sure that “the majority of users are updated with a fix”. However, it has revealed that it is a use-after-free vulnerability. Use-after-free bugs are flaws in which a program tries to access memory after it has been freed.

The bug was reported by Qihoo 360 Technology Co’s Chengdu Security Response Center. Google awarded the researchers $5,500 for their efforts.

CIS ranks the bug severity as high for large and medium organizations, and medium for small ones. The risk is low for home users, it suggests, but that certainly doesn’t mean you shouldn’t patch it.

Normally, this will happen in the background when the patch is available, but if you haven’t closed Chrome in a while you can check to see if there are any pending updates. Click the ‘more’ icon (the three dots at the far right of the address bar), and then Help, and About Google Chrome. The browser will check for any updates when you’re on this page.