Google fixes ‘highly severe’ zero-day Chrome exploit

Google has confirmed that a Chrome browser patch released last week was a fix for a critical flaw that was being exploited by criminals to inject malware onto a user's device.The company is urging Chrome users to immediately update their web browsers to the latest version, released last week, in light of the discovery of a zero-day vulnerability rated 'highly severe'.The flaw, termed CVE-2019-5786, is a memory mismanagement bug in Chrome's FileReader, an API included in all web browsers that allows apps to read files stored on a user's device or PC.Its nature as a 'use-after-free' error means it tries to access memory after it has been deleted from Chrome's allocated memory and, through this mechanism, could lead to the execution of malicious code."According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader," said Sophos' security proselytiser Paul Ducklin.