If you’re using Google’s Chrome browser and have not yet upgraded to the latest available version, do so now or risk being hit by attackers.
Google is warning users about a (now patched) zero-day vulnerability for which an exploit “exists in the wild.”
They didn’t come right out and say that the exploit is being actively used by attackers, but judging by the barrage of calls by Google’ security employees and bosses to users to update their browsers, it sure seems like it might be, and widely.
Google hasn’t revealed much about CVE-2019-5786: we known that it affects the browser’s FileReader API, that it’s a use-after-free vulnerability, and that it can allow attackers to escape the Chrome sandbox and perform remote code execution on the underlying operating system.
We also know that it was reported by Clement Lecigne of Google’s Threat Analysis Group a week ago (on February 27).
A fix for the flaw has been shipped with the latest desktop (Windows, Mac, Linux) and Android Chrome versions, as well as that for Chrome OS.
If they haven’t already, desktop Chrome users are urged to upgrade to v72.0.3626.121, Android users to v72.0.3626.121, and Chrome OS users to v72.0.3626.122.