If you use Google Chrome on your Mac, update it right now
Google has confirmed a recent update to Chrome was to patch a zero-day issue in the popular browser, an exploit that was actively used in attacks, and has recommended all Chrome users on Mac, Windows, and Linux update their installations as soon as possible.
Chrome's update dialog box when a patch is ready to install
A patch for Chrome shipped on March 1 consisting of a fix for a security flaw, identified as CVE-2019-5786. The update, which only fixed the issue without making other changes to the browser, brought Chrome on all three operating systems up to version 72.0.3626121.
While the security flaw affected all desktop versions of Chrome, it was especially a problem for Windows users, as it formed part of a more complex attack against Windows 7. The older Microsoft operating system had its own zero-day flaw identified at the same time as the Chrome version, with the browser's flaw actively used as part of a more complex attack against Windows, reports CNET.
Google updated its announcement for the patch to advise the exploit against Chrome "exists in the wild." Justin Schuh, head of Google's Chrome Security, posted to Twitter advising of both the exploit's existence and advising users to update their browser with the new patch.
The issue lies in a memory management error for Chrome's FileReader API, which allows web apps to read local files on a desktop. Specifically, it is a memory error known as a "use-after-free" vulnerability when a web app attempts to access memory that had been freed or deleted from Chrome's allocated memory, with the flaw enabling malicious code to be executed.
Clement Lecigne of Google's Threat Analysis Group is credited as the researcher who found the bug.
Google Chrome for iOS is not affected by the security flaw.
Chrome's update dialog box when a patch is ready to install
A patch for Chrome shipped on March 1 consisting of a fix for a security flaw, identified as CVE-2019-5786. The update, which only fixed the issue without making other changes to the browser, brought Chrome on all three operating systems up to version 72.0.3626121.
While the security flaw affected all desktop versions of Chrome, it was especially a problem for Windows users, as it formed part of a more complex attack against Windows 7. The older Microsoft operating system had its own zero-day flaw identified at the same time as the Chrome version, with the browser's flaw actively used as part of a more complex attack against Windows, reports CNET.
Also, seriously, update your Chrome installs... like right this minute. #PSA
-- Justin Schuh (@justinschuh)
Google updated its announcement for the patch to advise the exploit against Chrome "exists in the wild." Justin Schuh, head of Google's Chrome Security, posted to Twitter advising of both the exploit's existence and advising users to update their browser with the new patch.
The issue lies in a memory management error for Chrome's FileReader API, which allows web apps to read local files on a desktop. Specifically, it is a memory error known as a "use-after-free" vulnerability when a web app attempts to access memory that had been freed or deleted from Chrome's allocated memory, with the flaw enabling malicious code to be executed.
Clement Lecigne of Google's Threat Analysis Group is credited as the researcher who found the bug.
Google Chrome for iOS is not affected by the security flaw.
Comments
I was thinking the same thing.
I haven’t checked to see if chromium will work, but I’d be willing to bet that the same security flaw announced here was also present in chromium.
Also, if this was being actively exploited, why wasn’t there an announcement about it so people could avoid using Chrome until it was patched? Google just got done publicizing a security flaw in macOS that wasn’t being exploited because Apple ‘wasn’t quick enough’ with a patch. Seems rather hypocritical for them to hide an active exploit.
If you use Google Chrome on your Mac, update it right now
If you use Google Chrome on your Mac, get rid of it right now
FIFY
If FaceBook wasn't around, Google would be getting all the scrutiny and bad press.
I use DuckDuckGo. I don't have any Google products on my devices or in my home or office.
FaceBook has 29,000 data points on every individual! You really don't see a problem with that?
Well said.
All I want is 'transparency, 'accountability,' and 'rule of law.' In other words, responsible corporate citizens.
Facebook, Google, Twitter and Amazon are the cigarette companies of the 80's and 90's.
BTW Gruber and Rene Richie were talking on the latest episode of The Talk Show about how the so-called anonymization by companies like Google and Facebook is easily circumvented by advertisers and metrics companies who figure out ways to link users to a specific identifying data point, and then create "shadow profiles" of you from there. Fun stuff, kids. You are the product.
So I guess its perfectly okay for me to go peak and stare into the windows of your house then? I mean, you're just a grain of salt on the beach....
It’s Google hate day.
1. I use Google search, there is nothing else close
2. I use Google Maps, Apple’s getting better but they’re still 2nd best
3. I use Google Mail, it’s my own domain, I get zero ads (that I haven’t signed up for)
OK technically I get ads, but I don’t see them because they go directly to my Junk folder.
If Google is using my info for ads, I don’t see them because of the ad blocker. Actually, Apple is the cause of my problem with auto play (ads) videos. There is no way to stop the auto play in Safari iOS. I suspect Google payed Apple off...
Who I won’t do business with is Facebook...
What's unfortunate is that thinking that Chrome (or Firefox) are superior to Safari, and vice versa. All are modern browsers and each adds features and conveniences over the other. I prefer Safari's "feel", but Chrome and Firefox have closed the gap. I still don't like Firefox's text rendering... it's different and seems slightly off.
I use Safari as my main browser, but have Chrome and Vivaldi ready to launch for other purposes. I use Netflix in Chrome, for example. I treat browsers like application wrappers so I can Cmd-Tab between them. I use multiple windows to organize related pages. People that open every single web page in a separate tab and never use multiple windows are missing out. Tabs do not replace multiple windows entirely like many people choose to believe.
Lose the "one single browser" mentality and the world will be a happier, more productive place.
-Is profit allowed or are you expecting break-even?
-What about the credit bureau's, banks, and other lenders who use your personal data to evaluate you for extending credit?
-Would it be OK for you as an employer to do a background check, or for an insurer to check your driving history and accident record?
All these things require that your personal data be stored somewhere. Is signing your agreement to access it sufficient or are you still demanding to be paid in actual money?
A lot of questions are raised by what you think is a simple matter. I look forward to your comment.
That's like saying getting stabbed is alright because its not as bad as getting shot.