Researcher Clement Lecigne discovered and reported a security vulnerability in Chrome late last month which allowed remote attackers to execute arbitrary code and take full control of the computers.
The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems. Without revealing technical details of the vulnerability, the Chrome security team only says the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser.
Google warned that this zero-day RCE vulnerability is actively being exploited in the wild by attackers to target Chrome users.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the Chrome security team notes. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
FileReader is a standard API that has been designed to allow web applications to asynchronously read the contents of files (or raw data buffers) stored on a user’s computer, using ‘File’ or ‘Blob’ objects to specify the file or data to read.
The vulnerability is a class of memory corruption bug that allows corruption or modification of data in memory, enabling an unprivileged user to escalate privileges on an affected system or software.
It appears to exploit this vulnerability, all an attacker needs to do is tricking victims into just opening, or redirecting them to, a specially-crafted webpage without requiring any further interaction.
The patch for the security vulnerability has already been rolled out to its users in a stable Chrome update 72.0.3626.121 for Windows, Mac, and Linux operating systems, which users may have already receive or will soon receive in coming days.