Chrome zero-day is under active attack: patch your browser now

Chrome users: before you read any further, do us a favour and check your current version (menu > help > about Google Chrome.) If it says the version number is 72.0.3626.121, then breathe a sigh of relief. If it isn’t, then run through the prompted updated and come back.

The reason for the urgency? Google has revealed that the cause of last week’s CVE-2019-5786 update was the uncovering of a zero-day exploit which is actively under attack. Or as Google security research Justin Schuh put it:

Also, seriously, update your Chrome installs… like right this minute. #PSA

— Justin Schuh ? (@justinschuh) March 6, 2019

It’s not quite clear what the full nature of the exploit is: Google sensibly declines to reveal details until the risk is widely mitigated via the security patch, to prevent copycats making the problem worse. As the official release page says: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

What we do know from the official release notes is that it seems to be something to do with Chrome’s FileReader, which is an API designed to let web apps read local contents of a user’s computer. It’s reportedly a use-after-free vulnerability, a memory error that occurs when an app tries to access memory already freed by the browser. This mishandling can sometimes lead to malicious code being executed, and that suggests that bad actors may be trying to plant malware via malicious websites.

Related: Best web browser

More details may emerge with time, but as long as you’re patched to the latest version of Chrome you should be safe. Well, safe until the next zero day is found in this never-ending game of cat and mouse, anyway.

Do you use Chrome, or do you prefer another browser? Let us know on Twitter: @TrustedReviews.