by Robinson Roca
Practice Leader – Network Infrastructure
Google has released a very important Microsoft Windows and Apple macOS update for Google Chrome. This update addresses an exploit that could allow attackers to take control and execute arbitrary code within the context of the Chrome browser. The Common Vulnerability and Exposure (CVE) number for this vulnerability is CVE-2019-5869, and the affects are so wide ranging that Google has decided that access to the bug details and links to bug information will be kept restricted until a majority of users are updated with a fix. This bug was reported by Zhe Jin and Luyao Liu from the Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
If the privileges associated to the user and/or application are high enough, attackers could install programs, change and/or delete data, possibly create new accounts with full user rights. It is understood that if the application has been implemented with fewer user rights, the exploit could be less severe than if the user/application had full user rights. The announced CVE affects Google Chrome versions prior to 76.0.3809.132. Helient recommends you apply the stable channel update provided by Google and avoid giving end users and applications administrative privileges.
At this time Cisco Talos, and a few other threat intelligence agencies, have no reports of this vulnerability being exploited in the wild. Exploits of this nature are typically thwarted at the onset by simply following best practice. The best practice design framework sits as the cornerstone of Helient’s deployments.
References:
CISA – https://www.us-cert.gov/ncas/current-activity/2019/08/27/google-releases-security-updates-chrome
CVE – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5869
Google – https://chromereleases.googleblog.com/2019/08/stable-channel-update-for-desktop_26.html
If you have any questions or need assistance with remediation of this issue, please contact us at service@helient.com.