After releasing an incremental update for Chrome on Mac, Windows, and Linux last Friday, Google revealed yesterday that it addresses a zero-day exploit. The company’s security team advises users to update Chrome on all platforms immediately as there is evidence of a malicious party actively using the attack.
Google released (via ZDNet) Chrome 72.0.3626.121 for Mac, Linux, and Windows on Friday. However, it was only yesterday that the company publicized that CVE-2019-5786 was “High” severity and a zero-day.
[$N/A] High CVE-2019-5786: Use-after-free in FileReader. Reported by Clement Lecigne of Google’s Threat Analysis Group on 2019-02-27
In computer parlance, a zero-day is an exploit that the software vendor is not aware of — and therefore did not have time to address — until it’s publicized. This particular attack involves the FileReader API that allows websites to read local files, while the “Use-after-free” class of vulnerabilities — at worse — allows for execution of malicious code.
Also, seriously, update your Chrome installs… like right this minute. #PSA
— Justin Schuh 🗑 (@justinschuh) March 6, 2019
Google’s internal Threat Analysis Group first caught wind of the exploit on Wednesday, February 27th, which was apparently being used by nefarious actors when the Chrome update was released.
Mac, Windows, and Linux users can head to chrome://settings/help to manually initiate the download if it has yet to be pushed to a device. Once complete, Chrome will alert users to finish the process and restart the browser. It otherwise updates the next time users close the desktop application.
The update process is similar on Chrome OS, while Android users can visit the Play Store where the new version is still rolling out.