Kelser Talks Google Chrome Vulnerability on NBC Connecticut
When the news emerged that there was a security issue in Google Chrome, Kelser provided NBC Connecticut with some expert perspective.
Google announced in a blog post that an update was available for Chrome that addressed a high/critical vulnerability (CVE-2019-5786: Use-after-free in FileReader). Reports confirm that this update addresses a zero-day vulnerability that was being exploited in the wild. Google Chrome’s leading security and desktop engineer even tweeted that users should “seriously, update your Chrome installs…like right this minute.”
What is a "zero-day" vulnerability?
In short, a “zero-day” vulnerability is one that hasn’t been patched yet by the developer/manufacturer/organization responsible for the hardware/software with the vulnerability. The vulnerability may already be exploited in the wild (though not necessarily).
From our partner Symantec:
The term “zero-day” refers to a newly discovered software vulnerability. Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released.
So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.
Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.
But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That’s known as a zero-day attack.
What does “in the wild” mean?
“In the wild” in this case refers to the fact that a vulnerability is being exploited “in real life” out in the world. As opposed to a vulnerability that has only been exploited in lab tests by security professionals, for example.
TechTarget takes it a step further:
According to noted computer virus expert Paul Ducklin, in order for a virus to be considered in the wild, "it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users."
What can I do?
Make sure that your Chrome version is up to date. The updated version is 72.0.3626.121. You can check (and update if needed) Chrome on desktop by opening the drop-down menu (the three vertical dots), then going to “Help”, then “About Google Chrome”.
Stay safe out there!