A high severity vulnerability has been discovered in Google Chrome last month which could allow remote attackers to execute arbitrary code and take complete control of the computers. The flaw was discovered by Clement Lecigne, the security researcher at Google’s Threat Analysis Group.
The vulnerability which has been dubbed as CVE-2019-5786, affects the web browsers for operating systems including Microsoft Windows, Apple macOS, and Linux.
The technical details of the vulnerability were not revealed and the security team states that the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser that results in remote code execution attacks.
Google warned that this zero-day RCE vulnerability is actively being exploited in the wild by attackers to target Chrome users.
FileReader is a standard API which permits web applications to asynchronously read the contents of files (or raw data buffers) stored on a user’s computer, using ‘File’ or ‘Blob’ objects to specify the file or data to read.
The use-after-free vulnerability is a class of memory corruption bug that allows corruption or modification of data in memory, enabling an unprivileged user to escalate privileges on an affected system or software.
The use-after-free vulnerability in the FileReader component could enable unprivileged attackers to gain privileges on the Chrome web browser, allowing them to escape sandbox protections and run arbitrary code on the targeted system.
In order to exploit this vulnerability, the attacker has to trick the victims to open it or redirect them to a specially-crafted webpage without requiring any further interaction.
The patch for the security vulnerability has been issued in a stable Chrome update 72.0.3626.121 for Windows, Mac, and Linux operating systems.
All the users are highly recommended to make sure that your system runs the updated version of the Chrome web browser.