Google is patching a serious bug in the desktop version of its Chrome browser that could let an attacker take over a computer simply by luring users to a website. A fix for the bug, which affects the desktop version of Chrome on macOS, Windows, and Linux, will be available in the coming days, the company said. The flaw doesn’t affect the iOS or Android versions of Chrome.
The bug lies in Blink, the rendering engine that underpins Chrome. A rendering engine is the part of the browser that interprets HTML and creates the visuals you see when you visit a website.
Blink is part of the open-source Chromium project on which Chrome is based. The Chromium team created Blink in 2013 as a fork of WebCore, which is a part of WebKit, the browser engine that Apple uses for its Safari browser.
An attacker could exploit this serious bug if a user visits a malicious webpage, according to an advisory issued by the Center for Internet Security (CIS) issued a day after Google’s blog post on the issue.
It warned:
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Google is keeping quiet about the specifics of the bug until it’s sure that “the majority of users are updated with a fix”. However, it has revealed that it is a use-after-free vulnerability. Use-after-free bugs are flaws in which a program tries to access memory after it has been freed.
The bug was reported by Qihoo 360 Technology Co’s Chengdu Security Response Center. Google awarded the researchers $5,500 for their efforts.
CIS ranks the bug severity as high for large and medium organizations, and medium for small ones. The risk is low for home users, it suggests, but that certainly doesn’t mean you shouldn’t patch it.
Normally, this will happen in the background when the patch is available, but if you haven’t closed Chrome in a while you can check to see if there are any pending updates. Click the ‘more’ icon (the three dots at the far right of the address bar), and then Help, and About Google Chrome. The browser will check for any updates when you’re on this page.
Erik
This article does not mention the chrome os as being in either the vulnerable group or the safe group. Any word?
Magyver
Danny, it doesn’t seem right not disclose what the “fixed” version number would be, nobody likes to worry. I however just happen to know that last week my version number ended in .100, now it ends in .132.
Am I repaired then? …also I’d like to point out that the reasoning behind the CIS severity ranking seems a bit obtuse to me – private individuals will draw little comfort in their lowered ranking due to them “not being as juicy a prize”.
Private individuals can be hacked easier than most companies can be.
Paul Ducklin
According to Google’s Chrome Releases page, the most recent blog entry that mentions at update to the Stable Channel for Desktop says:
“The stable channel has been updated to 76.0.3809.132 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.”
I’d have thought that Google could orchestrate a rollout in hours/days myself – weeks seems weirdly long in the modern era – but a version number ending .132 indeed seems to be what you want.
Magyver
Danny, it also just occurred to me that both Opera and MS Edge are based upon the Chrome OS software too, and yet were not mentioned as being vulnerable or the vulnerability having been repaired.
Surely an even deeper story lurks inside this controversy no matter which way that goes. Either Chrome isn’t warning them, their modified software is more secure than standard Chrome or they got it repaired before Chrome did.
Got any insight on that Danny?
njorl
Nice to see it was a Chinese company helping to make our browsing, and Google’s product, safer. This stands in contrast with the furore over Huawei and its expulsion from the Google-controlled PlayStore network.
Mechtilda Mugo
How safe it is as far as security and privacy of information is concerned?
Paul Ducklin
This bug allows what’s called “remote code execution”, meaning that crooks could pretty plant any malicious program they liked on your computer. If a crook can install a program to wade through all your files…
…that’s fairly bad for security and privacy!