Google's head of Chrome security has warned all Chrome users to update the browser immediately to patch to a zero day flaw that was being exploited now.
Google issued a warning about the attacks yesterday in an update to a post about a Chrome update released on March 1 that contained one security fix.
Enterprise admins and Chrome desktop users on the stable channel should check to see that they have updated to Chrome 72.0.3626.121 for Windows, Mac, and Linux.
The update addressed a use-after-free memory corruption error in FileReader, a web interface in Chrome and other browsers that lets web apps read the contents of files stored on users’ computers. The class of memory corruption bug can be dangerous and is commonly found by researchers who look for flaws in browsers.
Google's updated post revealed that the bug, CVE-2019-5786, was reported by a member of Google's Threat Analysis Group and that an exploit for it was already being used by attackers.
The Google threat researcher reported the issue on February 27, two days before the original advisory and almost a week after Google revealed the extra details.
“Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild,” Google notes in the updated Chrome releases blog.
Shortly after Google updated the post, Chrome’s head of security warned organizations and users to update Chrome installations “like right this minute”, noting the company last week dealt with a zero-day "chain", referring to an exploit that uses more than one vulnerability to compromise a computer.
There are no details about whether CVE-2019-5786 is being used in targeted or widespread attacks, though the bug is most likely being used by an advanced persistent threat (APT) group.
Chaouki Bekrar, CEO of exploit broker Zerodium, noted the bug was reportedly a remote code execution flaw that allowed malicious code to escape the Chrome sandbox, which would allow an attacker to compromise the operating system.