CVE : 2019-5786 Remote Code Execution Vulnerability in Google Chrome Browser.
The vulnerability was discovered late February by Clement Lecigne, a security researcher at the Google Threat Analysis Group.
According to an update to its original announcement and a tweet from Google Chrome’s security lead, the patched bug was under active attacks at the time of the patch.
What is this vulnerability?
Complete technical details about this vulnerability is not disclosed by Google yet. Here are the things we know about this vulnerability.
- It affects almost all the web browsing software in almost all OS.
- It is a use-after-free vulnerability, a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome’s allocated memory.
- A use-after-free flaw in the FileReader component could be exploited by unprivileged attackers to gain privileges on the Chrome web browser and to escape the sandbox to run arbitrary code on the underneath OS leading to Remote code execution successful exploit.
How an attacker can exploit it ?
An attacker just needs to trick the user to open or redirect them to a specially-developed webpage (Malicious page which can exploit this vulnerability) without requiring any further interaction with the user.
Its acitve exploitation is seen or not ?
Till far google has not disclosed the technical details of this vulnerability. But yes google have been reported of its active exploitation from some of its users.
Chrome users should update their browsers to the latest version : 72.0.3626.121 version, released last Friday, March 1, 2019.