A few hours ago, Justin Schuh who is engineer director and security lead at Google, confirms that Chrome browser is under huge security vulnerability and users should update it “like right this minute.”
Last week we got to deal with a real 0day chain and a faux 0day at the same time. I wonder which one will get more attention? ? https://t.co/DfeyoB7geY
— Justin Schuh ? (@justinschuh) March 6, 2019
Why Google wants you to update your Chrome Browser on an immediate basis? Well, there is a zero-day vulnerability in Chrome browser, detected by Google Threat Analysis Team.
What kind of vulnerability is it? It is a usual day flaw in code in the form of bug but on a large scale.
Zero Day Vulnerability
A zero-day vulnerability is one that threat actors had managed to create an exploit for, a way of doing bad things to your device or data before the good guys even knew the vulnerability existed.
In other words, they have zero days in which to issue a fix. The bad news for users of Google Chrome is that this particular zero-day vulnerability, CVE-2019-5786, is already being exploited by the bad guys.
Which is why it is so important to make sure your browser has been updated to the latest patched version that fixes the vulnerability.
Zero Day Vulnerability Explained
Zero Day vulnerability is a terminology that is used to identify bugs or loopholes that are unknown to the developers at the time of release.
These kind of zero-day vulnerabilities are hazardous since they are capable of damaging on a large scale such as users privacy concerns, financial loses and even physical harm can be possible.
Moreover, this kind of zero-day vulnerability can only resolve through a new update of software by developers or by uninstalling the program from your device.
But not to believe why this Google Chrome vulnerability happened regarding CVE-2019-5786 remains unrevealed right now.
According to Satnam Narang, a senior research engineer at Tenable says:
“it is a “Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer.” The ‘use-after-free.”
The vulnerability seems to be found memory corruption place that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it.
This is why Google release an update notification, as a defensive move against the exploitation that could enable an attacker to remotely run arbitrary code (a remote code execution attack) while escaping the browser’s built-in sandbox protection.
How to Secure Yourself From Zero Day Vulnerability?
Surprisingly, this Google Chrome vulnerability is easy to fix. Just make sure that you do it along reading this blog:
- Firstly, open your Chrome browser and click on the drop-down menu (located at the top right corner of browser “stacked dots”)
- After clicking on the “Stacked dots,” a list of the menu will appear > now select “Help” option.
- Alternatively, you can also type chrome://settings/help in the address bar if you prefer. which takes you to the same dialog box.
- In this help section, it will tell you what version of Chrome you are using and is there any update available.
- To be safe from this zero-day exploit, make sure that it says you are running version 0.3626.121 (Official Build). If not, then Chrome should go and fetch the latest version and update your browser for you automatically.
Research lead and technical strategist at Synopsys, Travis Biehn said:
“Google Chrome is some of the most robustly engineered C and C++ code on the planet; the security teams working on Chrome are world-class.
Despite Google’s security program and their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and C++.
Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”