Google is rolling out an emergency update for Chrome users which patches an arbitrary code execution vulnerability. The update is rolling out to Windows, macOS, and Linux and has been marked as urgent as the vulnerability could potentially allow hackers to take control of your PC.
A vulnerability has been discovered in Google Chrome which could result in arbitrary code execution. This vulnerability is a use-after-free vulnerability in Blink that can be exploited if a user visits, or is redirected to, a specially crafted web page.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.
Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
The Center for Internet Security recommends the following to all the Chrome users to ensure they’re not affected by the vulnerability.
- Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
Google has already released a patch which should install immediately. Even then if you’re the paranoid kind, you can head to Menu>Help>About Google Chrome and verify if the latest version (76.0.3809.132) is installed. Google has also fixed some more vulnerability but has redracted the information from the Releases page.
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.