[SingCERT] Critical Vulnerability CVE-2019-5869 in Google Chrome

Published on 30 Aug 2019

Updated on 23 Oct 2019

Background

Google has announced a security update to address a critical vulnerability (CVE-2019-5869) found in its Chrome web browser.

A "use-after-free" memory corruption flaw exists in Blink, the rendering engine that powers the Chrome web browser. Blink's primary role is to transform HTML documents and other web page resources into visual representations on users' devices.

Affected Product

Google Chrome versions prior to 76.0.3809.132

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions and execute arbitrary code on the underlying operating system to carry out malicious activities such as a Denial-of-service (DoS) attack, and/or steal sensitive user information.

Recommendation

Users of affected versions of Chrome browser are advised to update to the latest version immediately. For users who have enabled the automatic update function in Chrome, the browser will be updated to the latest version once the device is connected to the Internet. Users who did not enable the automatic update function are advised to perform a manual update.

All users are encouraged to enable the automatic update function to ensure prompt software updates are performed.

References

https://chromereleases.googleblog.com/2019/08/stable-channel-update-for-desktop_26.html

https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2019-086/

https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/