Chrome users should drop everything and update their browser immediately to version 72.0.3626.121, security experts at Google have advised, after discovering an exploit that hackers are actively taking advantage of. The browser is designed to automatically update itself in many cases of a security issue, but this particular exploit can’t be fixed until Chrome is manually restarted.
At the heart of the problem is CVE-2019-5786, a terrible name for a potentially very dangerous flaw. First publicly identified by Google in late February 2019, it relies on an error in the memory management of the Chrome FileReader. If exploited correctly, it could allow a hacker to execute malicious code on a user’s system.
Google has kept a lid on further details, arguing that it makes sense to limit awareness of the technical nature of the exploit until users have had a chance to update Chrome. It began pushing out a patched version of the browser a week ago, in fact, for Chrome on Mac, Windows, and Linux. However it’s unlikely that everyone potentially affected has installed it yet.
The severity of the zero-day vulnerability – and the potential for the update to go ignored – encouraged the Google Chrome Security and Desktop Engineering Lead to speak out on the urgency of patching the browser. “Seriously, update your Chrome installs… like right this minute,” Justin Schuh took to Twitter to caution users. Speaking out publicly in such a way is unusual, Schuh noted, but there was a good reason for it.
“Past 0days targeted Chrome by using Flash as the first exploit in the chain,” he explained. “Because Flash is a plugin component, we could update it separately, and once updated Chrome would silently switch to the fixed Flash, without a browser restart or any user intervention.”
However users couldn’t rely on that taking place and protecting them in this particular situation. In fact, while Chrome might have done all it could to patch itself in the background, without warning the user, it would be caught waiting for them to do the final part.
“This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded,” Schuh said. “For most users the update download is automatic, but restart is a usually a manual action.”
Adding to the urgency is the fact that, as Google said previously, this is no theoretical hack situation. Indeed the Chrome flaw – and a second flaw which Google researchers identified in Microsoft Windows – were being actively exploited. Microsoft is still apparently working on a fix for its OS.