Google Chrome Tarnished Buy New Exploit
Google announced that its security team discovered an active bug in Chrome with the catchy name, CVE-2019-5786. The bug was discovered a couple of weeks back on February 27th and is actively being attacked by opportunist hackers.
The bug allows attackers to execute a RCE (Remote Code Execution) through the use of a memory mismanagement bug in FileReader, a web API featured in all the main web browsers. FileReader enables apps to read the contents of files stored on your computer and is not malicious in itself of course.
The issues arises when an app attempts to gain access to memory that is no longer allocated to Chrome. The incorrect handling of this function is what can potentially lead to malicious code being executed. The vulnerability allows the malicious code to run commands on the operating system after escaping Chrome’s built-in security sandbox.
Google will not divulge any more information on the vulnerability at the moment, stating, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
However, Catalin Cimpanu, a security reporter at ZDNet, has suggested that there are already PDFs being spread around that are used to attack user’s computers through this vulnerability. They collect information about your device, such as the file’s location, software versions and your ip address, before sending it off to remote domains. The collected information can be used for future attacks and the PDFs could also contain malicious code as previously mentioned.
So what can you do to avoid this bug? Firstly, only open PDFs that you trust. Secondly, if at all worried, disconnect from the internet before opening the document. Thirdly, make sure that Chrome is completely up to date so you can get the most recent patches that fix the issue. The full patch has been indicated to be ready to push out at some point during April.
To make sure Chrome is up to date on desktop simply go to chrome://settings/help and it will say if you need to update or if you’re good to go!