Chrome update solves zero-day; immediate update recommended

Google has announced that a patch that it rolled out to web browser Chrome on March 1 solves a zero-day exploit that has been actively exploited. Updating your browser immediately is therefore very important. There are not many details about the update and the exploit.

A zero-day is a vulnerability that is usually unknown to a software developer and gives hackers a high level of access. In this case it was a zero-day with the name CVE-2019-5786. This is solved with Chrome version 72.0.3626.121 for Mac, Linux and Windows, which was released last Friday.

Few details

Google only published today some details of the exploit. This is an error in the FileReader application programming interface of the browser. This API allows the browser to access and read locally stored files. Somehow, hackers can take advantage of that.

Many more details will not be published by Google for the time being. The team writes in a blog post of March 1 that details about the bug “limited to the majority of users is provided with a fix”. But even in that case, it is possible that no details will be disclosed yet, because certain third parties also rely on Chrome. Only when the majority of these parties have also released a fix will details follow.

Quick patch

Google’s Threat Analysis Group first heard about the bug on Wednesday 27 February. So, in practice, it was exploited by malicious parties. Google has therefore placed great priority behind solving the problem. Users are strongly advised to update their browser as soon as possible. Lead developer Justin Schuh even suggests the following on Twitter:

https://twitter.com/justinschuh/status/1103087046661267456

If your browser does not have an update yet, you can install it manually. To do so, go to this page: chrome://settings/help, where you can force the update. As soon as the update is complete, you will need to restart your browser.