New Zero-Day vulnerability found in Google Chrome
Last month, the researcher Clement Lecigne, in charge of detecting the new threats to Google, has discovered and reported a particularly dangerous vulnerability that could, apparently, allow attackers to carry out cyber-attacks remotely by executing, in an entirely arbitrary way, the code, and consequently taking complete control of the system.
The vulnerability discovered in Google Chrome: what it is and how it works
The vulnerability in question, which was given its name CVE-2019-5786, targets the popular browser on all major operating systems, including Microsoft Windows, Apple macOS, and Linux. Apparently, this would be a type vulnerability use-after-free present in Chrome's FileReader component, but there's more: Google itself warned that the zero-day RCE vulnerability would already be in active use by some attackers who aim straight at individual users.
"Access to the details and various links of the bug will be restricted until the majority of users have updated the browser with the necessary fixes," notes the Chrome security team, "we will adopt other restrictions on the third-party library on which they depend. similar projects that have not yet been fixed. "
For example, FileReader is a standard API specially made to allow web applications to read the contents of files (or raw data) stored on the user's computer, using 'File' or 'Blob' to specify the files or data to be read.
The type vulnerability use-after-free belongs to a class of bug corruption that allow malicious people to modify the data in memory, as well as to gain access to the system, if not even to the software, in a progressive manner.
The use-after-free vulnerability present in the component FileReader Google Chrome, in fact, grants cyber-criminals privileged access to Chrome, allowing them to bypass the security systems and reach the system directly.
All a hacker has to do, to exploit this particular Google Chrome vulnerability, is deceive the victims unaware, prompting them to open or redirecting them to a website that does not require any kind of interaction.
Chrome vulnerability: Google already has the remedy
It is therefore an insidious vulnerability, which can potentially affect any operating system. However, Google is not watching, so it has already released the patch to offer to its users, with the Chrome update 72.0.3626.121 for Windows, Mac, and Linux: it should arrive in the next few days, but some have already had it.
Andrea Mori
Swascan Digital Marketing Specialist
New Zero-Day vulnerability found in Google Chrome