All Chrome users have been advised to use the browser's built-in update tool to update Chrome to the latest update in order to avoid future issues with the bug. It took care of the CVE-2019-5786 security flaw, which was discovered by Clement Lecigne of Google's Threat Analysis Group. This time around, a flaw in Chrome's implementation of the FileReader API allowed sites to break out of their sandbox and execute native code.
The company said in a blog post that it is "aware" that a zero-day exploit for Chrome "exists in the wild".
"The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver () system call is called under specific circumstances", he added. Google believes that this is the only version of the OS where it works because the exploit mitigations Microsoft introduced in the newer versions of OS, Windows 10 in particular, would prevent it.
Google also alerted users to another exploit affecting the Windows operating system.
However, out of nowhere this week, on Tuesday, March 5, Google revealed that the Chrome security fix was actually a patch for a zero-day that was being exploited in the wild, but again, did not reveal any additional details. That's a departure from many Chrome patches, which work as soon as they're installed. In fact, Chrome security lead Justin Schuh tweeted (h/t: ZDNet) that users should update their browser installs right now.
Chrome OS users can update their version by selecting settings, then going to the menu and selecting "About Chrome OS". "For most users, the update download is automatic, but restart is a usually a manual action".