If you’re using Google’s Chrome browser – and the vast majority of folks are – then you need to make sure it’s on the latest version, otherwise you may be vulnerable to an exploit which is out there in the wild, and can be used to deliver all sorts of nastiness.
This hole in the browser’s security – given one of the usual catchy codenames: CVE-2019-5786 – is a zero-day vulnerability which could be leveraged by a malicious web page and used to install malware directly onto your PC. It affects the browser across all desktop operating systems – Windows, Mac, Linux, Chrome OS – as well as Android.
Justin Schuh, who heads up the Chrome team, tweeted that in no uncertain terms, you should make sure your browser is updated right now.
Also, seriously, update your Chrome installs… like right this minute. #PSAMarch 6, 2019
To clarify, you need to ensure that your Chrome browser is updated to version 72.0.3626.121, which has the relevant security fix.
The Chrome team noted a week ago that the stable channel had been updated to this latest version, on Windows, Mac, and Linux, and that it would be rolling out “over the coming days/weeks”. The team further observed that the fix was important because: “Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.”
In other words, this is being actively exploited, so it’s a definite danger which you could potentially run into now in your daily web browsing activities, or via a malicious link sent to you in an email, for example.
Don’t hang about
Chrome should update itself to the latest version automatically – or you may see a prompt top-right telling you that the browser is ready to be updated, in which case, close down Chrome, and reopen the browser to apply the patch.
You can find out which version of Chrome you’re running by clicking on the three vertical dots icon top-right, selecting Help, and then clicking on About Google Chrome from the resulting fly-out menu. That will also check for updates, and let you know that your browser is officially up-to-date (assuming it is).
As to the nature of the bug, it is apparently a memory management flaw in the FileReader API portion of Chrome. However, no harder details have been released regarding the vulnerability, because at this point, a number of web browsing folks may still be at risk from the security hole.
The other issue is how this problem affects other Chromium-based browsers. It seems that Opera was hit by this bugbear, too, so you need to make sure you’re running the latest version 58.0.3135.90 of that browser. And another Chromium-powered browser, Vivaldi, issued an updated version on March 4 to squash the bug, so evidently was affected as well.
And you can bet Microsoft is watching this with some interest as well, given that Edge is shifting to be based on Chromium (we got a good look at some leaked screenshots of the new version of Microsoft’s browser earlier this week, incidentally).
Via The Register