Google is pushing out a new update for desktop versions of its Chrome browser that includes fixes for zero-day vulnerabilities.
An exploit for one of the security bugs has already been found in the wild.
Three security flaws – all labelled as high severity – were patched in the update but access to the Common Vulnerabilities and Exposures (CVE) entries remains locked while the patch is rolled out.
One of the vulnerabilities fetched André Bargull $US5,000 through Google’s bug bounty program, while the other two were found by the tech giant’s own teams.
Found and analyzed with a lot of help from @5aelo and Sergei. https://t.co/qeBkjsao4o
— clem1 (@_clem1) February 25, 2020
Although Google is keeping details about the vulnerabilities sparse for the time being, cybersecurity researchers István Kurucsai and Vignesh Rao wrote-up a detailed explanation – including the exploit code – for one Chromium vulnerability that has now been patched out.
The technical rundown explains how the flaw did not recognise how a JSCreate node within a function could be remapped and intercepted without being marked as unreliable – opening the door for arbitrary JavaScript code to be executed by an attacker.
Are you up to date?
Chrome updates automatically in the background but if you haven’t closed your browser in a while – because you just shut your laptop lid when you’re done for the day – it might be worth checking which version of the Chrome you’re using.
To check if you using the latest version, click on the three little dots to the right of the URL bar, navigate down to Help, and click About Google Chrome.
Here you can see if your browser is updated to the latest version (80.0.3987.122).
Otherwise, Chrome should start updating on its own and will then prompt you to reboot your browser (don't worry, your tabs will still be there when it re-opens).