Google has released an emergency patch for Chrome on Windows, macOS and Linux to fix a newly discovered vulnerability that could allow malicious websites to completely take over your PC. Here’s how to get the fix.
The non-profit Center for Internet Security has released an urgent missive urging Chrome users to update their browsers.
The discovered vulnerability, which affects all non-mobile versions of Google prior to 76.0.3809.132, could result in arbitrary code execution and the hostile takeover of any machine that has administrative rights enabled.
As the organisation explains:
A vulnerability has been discovered in Google Chrome which could result in arbitrary code execution. This vulnerability is a use-after-free vulnerability in Blink that can be exploited if a user visits, or is redirected to, a specially crafted web page.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.
Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
So that'll be a big yikes, then.
The Center for Internet Security recommends the following action be taken:
- Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
How to fix the Chrome vulnerability
Google has already rushed out an update to patch this vulnerability. Chrome version 76.0.3809.132 can be downloaded from the Google Blog's Chrome Releases page. (You can check which version of Chrome you're currently running and perform an automatic update here.)
Interestingly, the latest update actually patches three separate flaws, but Google only provided information on this vulnerability. (It was originally discovered by Zhe Jin and Luyao Liu from the Chengdu Security Response Center.)
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed," the blog post explained. We'll keep you posted if we learn more.