Google Chrome Zero-Day Vulnerability CVE-2019-5786 actively exploited in the wild

A new zero-day vulnerability in Google Chrome, tracked as CVE-2019-5786, is actively exploited in attacks in the wild.

A new zero-day vulnerability in Google Chrome is actively exploited in attacks in the wild. The vulnerability was discovered late February by Clement Lecigne, a security researcher at the Google Threat Analysis Group. The high severity zero-day flaw in Chrome could be exploited by a remote attacker to execute arbitrary code and take full control of the target computer.

The vulnerability tracked as CVE-2019-5786 resides in the web browsing software and impact all major operating systems including Windows, Apple macOS, and Linux.

Lecigne did not reveal technical details of the issue, Google experts only revealed that the CVE-2019-5786 flaw is a use-after-free vulnerability in the FileReader component of the Chrome browser. FileReader is a standard API that allows web applications to asynchronously read the contents of files stored on a computer, using ‘File’ or ‘Blob’ objects to specify the file or data to read.

Google confirmed that the zero-day RCE vulnerability is actively being exploited in the wild by threat actors.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” reads the security advisory published by Google. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.

You must update your Google Chrome immediately to the latest version of the web browsing application.

A use-after-free flaw in the FileReader component could be exploited by unprivileged attackers to gain privileges on the Chrome web browser and to escape the sandbox to run arbitrary code.

The attack scenario sees threat actors tricking victims into opening, or redirecting them to, a specially-crafted webpage.

Google addressed the issue by rolling out a stable Chrome update 72.0.3626.121 for Windows, Mac, and Linux operating systems.

Don’t waste time and update your Chrome web browser.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Chrome, CVE-2019-5786)

[adrotate banner=”5″]

[adrotate banner=”13″]