Chrome Zero-day CVE-2019-5786

On March 5^th Google announced a zero-day vulnerability affecting the Google Chrome Browser [1]. Google released a security update to address the issue on March 1^st, but confirmed that the vulnerability was exploited in the wild prior to patch release. All major operating systems including Windows, MacOS, and Linux are affected. Available endpoint telemetry across eSentire customers indicates vulnerable versions of Chrome are still widely in use. It is highly recommended to update Chrome as soon as is feasible.

What are we doing about it

• Current esRECON plugins identify this vulnerability in Windows and MacOS products

What you should do about it

• After conducting a performance impact review, update to Chrome version 72.0.3626.121 or higher for Windows, MacOS, and Linux
• After updating users are required to relaunch the browser

Additional information

CVE-2019-5786 was first discovered in late February by security researcher Clement Lecigne. The vulnerability resides in Google Chrome's FileReader API. When exploited a remote and unauthenticated threat actor could execute malicious code, which escapes from the in Chrome security sandbox and executes on the host machine.

Technical details on CVE-2019-5786 remain minimal at this time as Google will not release additional details until the majority of users have implemented the security patch.

References:

[1] https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html