Google has released an out-of-band patch for its Chrome web browser, following the discovery of a security vulnerability which allows for arbitrary code execution.
The world's most popular web browser, with a claimed 66.9 percent of the desktop and laptop market according to Net Market Share, Google's Chrome - built atop of the open-source Chromium project - is a tempting target for hackers: Web browsers, by their very nature, are designed to pull code from untrusted remote locations and, if not actively execute it, then at least process it in order to display a site on-screen. A code execution flaw, then, is serious business - which is likely why Google didn't wait for its regularly-scheduled update cycle before releasing a fix for exactly that in its latest Chrome releases.
The flaw itself exists in the Blink browser engine itself, asm a use-after-free vulnerability that allows an attacker - which could simply be a malicious website, or even a malicious advert embedded into a perfectly legitimate website - to execute arbitrary code under the privilege level of the browser itself, which is typically the same as the user account which is running the browser. The issue was discovered and reported privately by Qihoo 360 staff Zhe Jin and Luyao Liu as part of Google's bug bounty programme, for which the pair received $5,500.
Those running the Chrome browser on any platform are advised to update now, and to ensure their version is at least 76.0.3809.132; any version prior to this should be considered at risk of attach from the vulnerability.
The same update also includes two additional security updates discovered by Google's internal development team, for which details have not been publicly released.
January 24 2020 | 12:00