Chrome Zero-Day RCE: Exploit in the Wild – Patch Now

Google is warning Chrome users to update their browser installations immediately. Previous versions have a nasty security bug that allows remote code execution.

And it’s not theoretical: It turns out that this vulnerability was already being exploited before the patch was available. Google is being super-cagey about the exact nature of the flaw, but the company is being unusually insistent about how urgent this is.

So you know what to do and when to do it. In this week’s SB Blogwatch, we sit up and take notice.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Daisy Belle.

UAF RCE Zero-Day in API

What’s the craic? Catalin Cimpanu calls Chrome zero-day under active attack:

A patch for Chrome last week was actually a fix for a zero-day that was under active attacks. … CVE-2019-5786 [is] a security flaw and the only patch included in the Chrome 72.0.3626.121 version.

[It’s] a memory management error in Google Chrome’s FileReader … web API. … The bug is a use-after-free vulnerability, a type of memory error that happens when an app tries to access memory after it has been freed/deleted. … The security researcher who discovered the bug [is] Clement Lecigne of Google’s Threat Analysis Group.

Roughly 70 percent of all security bugs that Microsoft patches every year are memory safety errors like the one the Chrome team patched. … Most of the errors come from using C and C++, two “memory-unsafe” programming languages.

Sounds urgent. Davey Winder explains, “Google Confirms Serious Chrome Security Problem – Here’s How To Fix It”:

Why the urgency? … There is a zero-day vulnerability for Chrome that … is being actively exploited.

What does that all mean? Well … while they all need to be fixed, not all of them either can be or are being exploited. A zero-day vulnerability is one that threat actors have managed to create an exploit for … before the good guys even knew the vulnerability existed. In other words they have zero days in which to issue a fix.

The ‘use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine. … That’s why Google has issued the urgent update warning. … An attacker [could] remotely run arbitrary code … whilst escaping the browser’s built-in sandbox.

What’s Google saying officially? Abdul Syed dryly documents a stable channel update:

72.0.3626.121 for Windows, Mac, and Linux … includes 1 security fix.

Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild. … We would also like to thank all security researchers that worked with us … to prevent security bugs from ever reaching the stable channel.

Why so serious? Paul Ducklin is all fingers and thumbs:

All vulnerabilities represent a risk, by definition. … But in the same sort of way that all thumbs are fingers, while not all fingers are thumbs … not all vulnerabilities can be turned into exploits.

Nevertheless, some vulnerabilities … make a program crash in a cunning way that leaves the software alive but with the attackers in direct control.

How to ensure you get the fix? Here’s SBN member Melisha Dsouza:

Mac, Windows, and Linux users are advised to manually initiate the download if it is yet to be pushed to a device. Head over to chrome://settings/help to check the current version of Chrome on your system. The URL will also do an update check at the same time, just in case any recent auto-updates have failed.

So, more work for harassed IT folk—including hasthisusernamegone:

Oh joy. This will create additional headaches here. We’ve been holding off updating people as there’s something odd about Chrome versions above 68 that means they never shut down properly in our environment. They hold three processes open in the background that never seem to close unless killed in Task Manager and that block it.

I’ve posted reports in the Chrome dev forums but I might as well have written them on a note, put it in a bottle and lobbed it into the sea for all the good that’s done.

But who’s to blame? staticassertion asserts it’s K&R:

Chrome has probably invested > 1 billion dollars into their codebase at this point. Certainly >100million into security. … They build this project with security in mind from day 1.

Their track record for security is something to really be proud of. [So] let’s just collectively admit it, finally – you can’t write safe C++ in a codebase this complex.

To be clear, I’m not saying “Chrome should be rewritten in a memory safe language.” I’m saying that Chrome is an excellent project to point to, say “Wow, no one does as much to secure a codebase as them,” and to follow that up with “and they still got owned.”

I’m not … suggesting that Google did anything wrong, or should change their posture in any way. They’ve been extremely successful … they spend a lot of money on security, they do an incredible job, [but] stuff like this can still slip through, which I find really interesting. … Chrome is an example of a project with more security funding than just about any other project out there, and it still can’t save users from the footguns of C++.

And titzer agrees:

Many, many critical bugs are due to array buffers and lifetime management issues of their backing stores. … There are just a ****ton of bugs that are directly due to manual memory management in C++ and all the other pitfalls of C++. We’d be on much better footing to get rid of C++ altogether, as it is by far the most common source of bugs in Chrome.

Humans suck at managing memory. Let machines do it.

In a similar vein, here’s pjmlp:

Linux is another good example how C doesn’t cut it, even among top developers. … 68% of 2018 CVE’s were caused by memory corruption bugs. … What is clear is that hoping for the best and the mythical 10x developers that write perfect C and C++ code won’t ever happen.

[C’s] ubiquity is an historical accident, by no means permanent, and thankfully some vendors are finally walking away from it, as proven by Microsoft … future Windows development best practices. … I was mainly a C and C++ developer until 2006 and you will see me praise C++, but also be an heavy critic of the copy-paste security exploits it inherited from C.

Meanwhile, Rapzid feels faintly foolish:

Oh man.. Am I the only person who has been neglecting that little red arrow icon in Chrome for the past few days?!

It would be great if Chrome popped up a blocking message that said “UPDATE NOW, DAY ZERO IS UPON THEE!!!!”

And Finally:

The poignant, Emmy award-winning “Daisy Belle,” by William Wall

A robot cares for his owner while mysterious creatures lurk in the strange world outside.


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Brad Schafer (cc:by)

Featured eBook
Container Security: Securing from Within

Container Security: Securing from Within

Containers increase speed, simplify operations, improve development efficiency and bring a slew of other benefits, making them a top choice for agile deployment infrastructure. Everything from web apps, services, data stores, command line apps, desktop apps and other Linux programs can easily be packaged within containers. However, issues regarding their security have grown. Unsecured containers ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 16 posts and counting.See all posts by richi