Google Reveals Chrome Zero-Day Under Active Attacks

It has been reported that Google revealed that a patch for Chrome last week was actually a fix for a zero-day that was under active attacks. The attacks exploited CVE-2019-5786, a security flaw and the only patch included in the Chrome 72.0.3626.121 version, released last Friday, March 1, 2019. According to an update to its original announcement and a tweet from Google Chrome’s security lead, the patched bug was under active attacks at the time of the patch. 

Travis Biehn, Technical Strategist – Research Lead at Synopsys: 

“Google Chrome is some of the most robustly engineered C and Cpp code on the planet, the security teams working on Chrome are world-class. Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and Cpp. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time. 

The teams at Mozilla are experimenting with porting parts FireFox’s Cpp codebase to Rust, a language that doesn’t suffer from memory corruption attacks – the availability of a highly performant and safe systems language like Rust is a game changer for software security – and we’re excited to see more organisations looking at replacing the use of less safe low-level languages with new languages like Rust.” 

 

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.