Google is rolling out a critical patch for their Chrome browser in order to fix four serious vulnerabilities including one which enables arbitrary code execution on the system simply by visiting a specially crafted webpage – with no other user interaction required.
Google is not releasing details of the vulnerabilities, other than to say they are all ‘use after free’ coding defects, until the majority of the installed user base has updated to the patched version of Chrome.
A ‘use after free’ flaw is a type of coding mistake where a program attempts to use an allocation of memory, such as an object created in a C++ program, after it has been released (or freed) by another part of the application. This can either result in a crash or, if the memory in question has been manipulated by an attacker, cause arbitrary code to be executed.
Google states that:
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
The fix is in version 77.0.3865.90 of the stable release channel for Windows, Mac, and Linux for desktop. You can check the current version of Chrome by clicking Help -> About Google Chrome
Administrators that have disabled Chrome auto-updates should consider updating to resolve these vulnerabilities.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)