Google has launched an emergency update for Chrome users worldwide. The US technology company is urging users to install the update as soon as possible – and is keeping its mouth shut about the full extent of the vulnerability plaguing users until it’s sure that the majority of people have patched the flaw.
The flaw carries the codename “CVE-2020-6457” and is listed as a “use after free” exploit.
Security researchers at Sophos uncovered the vulnerability. According to reports, the flaw is a Remote Code Execution (RCE) that allows attackers to run commands and untrusted scripts behind your back.
In a blog post about the flaw, Sophos researcher Paul Ducklin said it could enable hackers “to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or ‘Are You Sure’ dialog.”
That means Google Chrome won’t double-check with users before allowing hackers to run their scripts. That could lead to devastating consequences for users.
According to Ducklin, the vulnerability could impact up to two billion users between Windows, macOS and Linux machines across the globe.
That’s devastatingly high. Fortunately, Google Chrome should keep itself up to date automatically – so you shouldn’t have to do much to ensure you’re shielded against the flaw. However, you can push things along a little quicker if you’re worried about the flaw.
To do that, launch your Google Chrome app on Windows 10 or macOS and click on the three-dots icon in the top right-hand corner of the browser window. In the dropdown, select Help > About Google Chrome. That should kickstart the update process.
Once your web browser has updated, you might need to click on the Relaunch button to launch the application again.
As soon as Google reveals more information about the patch and why it was so concerning that the company – which until recently had decided that it would not release any updates to Chrome while the world was in lockdown – had to rush-out a security update worldwide, we’ll update you.
According to the Sophos blog post, “The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix. Even closed-source software patches that reveal changes only at the machine code level are often eagerly “wrangled backwards” by researchers and crooks alike in order to figure out what was wrong in the first place.”
Published at Thu, 23 Apr 2020 06:21:00 +0000