Google patches high-severity Chrome browser engine security flaw
The flaw could enable attackers to carry out remote code-execution or denial-of-service attacks
Google has updated Chrome to fix a high-severity vulnerability that could enable hackers to carry out remote code-execution attacks.
"The stable channel has been updated to 76.0.3809.132 for Windows, Mac, and Linux, which will roll out over the coming days/weeks," Srinivas Sista of Google Chrome announced in an online post.
The flaw, tracked as CVE-2019-5869, was uncovered on Monday by two security researchers, Luyao Liu and Zhe Jin from the Chengdu Security Response Centre of Qihoo 360 Technology Co. Ltd. They reported the bug through Google's vulnerability disclosure process and were awarded $5,500 for their assistance in making the Chrome browser safe for users.
All Google Chrome versions prior to 76.0.3809.132 are affected by the security flaw
According to Google, this "use-after-free" flaw exists in the Blink browser engine that powers the Google Chrome and poses "HIGH" risk to large and medium government and business entities.
While open-source, Blink was developed under the Google Chromium project and was rolled out in 2013.
The researchers who discovered the vulnerability in Blink warned that it could enable attackers to circumvent security restrictions, execute arbitrary code on the system, carry out DOS attacks, and steal sensitive user information.
All Google Chrome versions prior to 76.0.3809.132 are affected by the security flaw.
"Depending on the privileges associated with the application, an attacker could install programmes; view, change, or delete data; or create new accounts with full user rights," warns the advisory issued by the Centre for Internet Security on Tuesday.
Moreover, it becomes easy for attackers to exploit the bug when a user visits a specially designed malicious webpage.
A "use-after-free" bug is memory corruption issue in which an attempt to access the memory is triggered after the memory has been freed. Such an attempt may result in crash of a programme or execution of some arbitrary code.
According to Google, its Chrome 76.0.3809.132 update fixed three security bugs in total, although the company didn't reveal any further detail about other two bugs.
Google had previously updated its Chrome browser for Windows, Mac and Linux (Chrome 76) in July. That update addressed more than 40 security issues in the browser.
Earlier in March, users of Google's Chrome web browser were advised to update it as a matter of urgency following the discovery of exploits in the wild for a 'high severity' security flaw publicised in February.
The Centre for Internet Security advises users to take following steps to protect their systems from potential attacks:
- Apply the Chrome stable channel update to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user to lessen the effects of a successful attack.
- Don't visit any un-trusted website.
- Apply the Principle of Least Privilege to all services and systems.