Google is urging users of its Chrome browser to update after a high-severity vulnerability – which could enable remote attackers to execute code and carry out other malicious attacks – was uncovered.
The vulnerability (CVE-2019-5869), a use-after-free flaw, specifically exists in Blink, an open-source browser engine that powers the Google Chrome browser. Browser engines are at the heart of every major browser; their primary role is to transform HTML documents and other web page resources into visual representations on users’ devices. Blink (first launched in 2013) specifically was developed as part of the Chromium project, with various reusable software frameworks available for Android operating system and Chromium Embedded Framework (used widely in software by Adobe and streaming services like Spotify).
Researchers warned that successful exploitation of the vulnerability in Blink could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service (DoS) conditions.
“Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights,” according to a Center for Internet Security advisory issued on Tuesday. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
While details are scant regarding which specific part of Blink the vulnerability exists in, advisories do label it as a use-after-free flaw, a specific type of memory corruption glitch where an attempt to access memory after it has been freed is triggered. That can cause a program to crash or potentially result in the execution of arbitrary code.
The flaw in Blink that can be exploited if a user visits, or is redirected to, a specially crafted web page, according to the Center for Internet Security. So, attackers could remotely set up such a web page, then persuade a potential victim to visit it; from there, they would be able to remotely attack the victims’ system.
The flaw impacts Google Chrome versions prior to 76.0.3809.132; Google has urged users to update to version 76.0.3809.132 for Windows, Mac, and Linux. That said, currently, no reports exist of the vulnerability being exploited in the wild have been reported, researchers said.
The flaw was reported by Zhe Jin, and Luyao Liu from the Chengdu Security Response Center of Qihoo 360 on Monday through Google’s vulnerability disclosure process; researchers were awarded $5,500 for their discovery.
Overall, Google’s Chrome 76.0.3809.132 update addresses three security fixes – though only the use-after-free flaw in Blink was detailed. Threatpost has reached out to Google for more detail regarding the two other patches.
The current update comes after Google in July launched the latest iteration of the Chrome browser for Windows, Mac and Linux (Chrome 76) which blocks Adobe Flash Player default support and comes with more than 40 security fixes.
Previous flaw have been found in the Blink browser engine; in 2018, a browser bug was discovered that let bad actors uncover private data stored on Facebook, Google sites and other platforms, by using video and audio HTML tags, and the filtering functions in websites.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.