Put down the cat, coffee, beer pint, martini, whatever you’re holding, and make sure you’ve updated Chrome (unless you enjoy being hacked)

Updated If Google Chrome is bugging you to update it right now, please stop what you’re doing, and get that upgrade.

The latest version fixes a security vulnerability (CVE-2019-5786) that can be potentially exploited by malicious webpages to hijack the software, and run spyware, ransomware, and other nasties on your device or machine.

According to Googler Abdul Syed, the ads giant is “aware of reports that an exploit for CVE-2019-5786 exists in the wild,” meaning criminals and other miscreants are leveraging the bug to infect victims’ computers. A mark just needs to be lured into opening a booby-trapped website from, say, an instant-messenger link or email, or viewing a malicious advert, using a vulnerable version of Chrome to potentially fall victim.

Meanwhile, Google Chrome lead Justin Schuh urged: “Seriously, update your Chrome installs… like right this minute.”

The vulnerability affects Windows, Linux, Android, ChromeOS, and macOS builds of Chrome: if you’re running version 72.0.3626.121 or higher (or 72.0.3626.122 or higher on ChromeOS) then you’re all good. Open the Chrome menu, click on ‘Help’, then ‘About Google Chrome’ to check the version. From there you can update as necessary, or use your favorite package manager to upgrade.

Normally, Chrome gets its updates automatically: you just have to restart it when it’s done.

Under the hood

The bug, discovered by Googler Clement Lecigne, lies in the FileReader API portion of Chrome, and is a use-after-free() programming blunder. This means the browser can be tricked into marking a block of heap memory as no longer needed, and then uses it again anyway as if it hadn’t freed the space.

In between a thread releasing the memory and reusing it, that memory space could by assigned to another part of the browser and altered, for example, while rendering a webpage. When a thread incorrectly reuses that memory space, the data will have been overwritten and significantly changed, leading to confusion and ultimately, potentially, remote code execution.

One way to achieve this would be to craft a webpage that, when loaded, causes a Chrome thread to free memory holding a block of function pointers, then render some HTML or fire up some JavaScript that causes the block to be reallocated, and those pointers overwritten with data contained in the page. Then you wait for the browser to access what it thinks are still valid pointers from the memory block, and jump to them. In reality, it will start running arbitrary code supplied by the attacker’s webpage.

Exact details of the flaw are being withheld until enough people are patched. The bug fix was emitted at the start of March, and word of exploitation in the wild emerged this week. ®

Updated to add

In a blog post today, Google has revealed a few more details, here. It also warns that it has discovered “a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape,” that primarily affects Windows 7. Security defenses in modern Windows editions block exploitation attempts.

“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances,” the ad giant’s security team explained.

Google has spotted active attacks leveraging this privilege escalation flaw against 32-bit Windows 7 systems. Microsoft is still working on a patch for this bug, so stay tuned for an update soon. Or upgrade to Windows 10, ChromeOS, Linux… take your pick.

Sponsored: Re-designing Linux Security: Do No Harm

READ MORE HERE