Decade-Old Chrome Bug Found, Google Forces Users To Update Their Browser Immediately

Chrome is one of the most popular and widely-used web browser. Created by Google, the product certainly has a lot of people working on it. But that doesn't mean it's flawless.

The search giant has warned both Windows and Mac users to urgently update their Chrome browser due to a security bug that could let hackers hijack users' computer.

The bug in question has been around since Chrome first inception in 2008.

Describing it as "high" in severity, Google was forced to make this announcement, as hackers have managed to find the bug before Google did. What this means, the bug has been actively exploited in the wild.

Due to the fact that all Chrome users are affected, Google kept most of the information to itself, at least before the majority of users are updated with a fix.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said in a blog post warning about the discovery. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

Justin Schuh, Chrome's security engineer chief, warned users to update Chrome "right this minute" on Twitter, declaring it a "#PSA [Public Service Announcement]".

The zero-day vulnerability was first discovered by Clement Lecigne at Google's Threat Analysis Group on February 27th.

According to Google, the bug corrupts how a web app accesses a computer's memory. According to some tech experts, they theorize that the security vulnerability could allow hackers to implant malware without any warnings or popups, read files and potentially even take over computers remotely.

If exploited, the bug can also cause victims' computer to crash or behave strangely.

In short, the bug allows hackers to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser's built-in sandbox protection.

The bug was located in Google's FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer.

A zero-day vulnerability is one that threat actors have managed to create an exploit. In this case, those people have known about this issue before Google does. Here, Google has zero days to issue a fix.

The bad news for Chrome users is that this particular zero-day vulnerability, CVE-2019-5786, is already being exploited by malicious actors. This is why it's extremely important to make sure that users update their Chrome browser to the latest patched version that fixes the vulnerability.

Those who are concerned about this issue, can check their device if it's running on an updated version of Google Chrome.

They can do this by typing chrome://settings/help into the Chrome's address bar. On a mobile devices, they can do this by visiting chrome://versionVersions.

Versions earlier than 72.0.3626.121 are all at risk.

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," said Abdul Syed, a Google Chrome engineer.