It has been reported that Google revealed that a patch for Chrome last week was actually a fix for a zero-day that was under active attacks. The attacks exploited CVE-2019-5786, a security flaw and the only patch included in the Chrome 72.0.3626.121 version, released last Friday, March 1, 2019. According to an update to its original announcement and a tweet from Google Chrome’s security lead, the patched bug was under active attacks at the time of the patch.
Travis Biehn, Technical Strategist – Research Lead at Synopsys:
“Google Chrome is some of the most robustly engineered C and Cpp code on the planet, the security teams working on Chrome are world-class. Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and Cpp. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.
The teams at Mozilla are experimenting with porting parts FireFox’s Cpp codebase to Rust, a language that doesn’t suffer from memory corruption attacks – the availability of a highly performant and safe systems language like Rust is a game changer for software security – and we’re excited to see more organisations looking at replacing the use of less safe low-level languages with new languages like Rust.”