[UPDATE! Zeroday 1-2 Combo] Google - Actively Spreading Chrome Exploit is so bad we won't tell you exactly what it is

[rcmaehl]

UPDATE (Credit @domroderiguez)
 

Source:
Ars Technica

Excerpt:

Quote

Google researchers discovered a Windows exploit involving local system privileges being combined by attackers with a separate Google Chrome security flaw patched last Friday. While the Chrome exploit is inactive after Google rolled out a security update, Windows users running old versions are still at risk.

 

"The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome’s FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances." - Ars Technica

 

While Google released a patch for chrome a week ago the update requires a browser restart to take effect unlike the previous chrome exploit involving the Adobe Flash plug-in which did not require a restart. Clement Lecigne, a member of Google’s Threat Analysis Group advises that all Windows users upgrade to version 10.

 

----------------------------------------------------------------------------

Sources:
Sophos

Google
9to5 Google
 

Summary:
Google has released a patch for an undisclosed zero day being actively used and spread as you read this. Dev team says Update Right This Minute. Google to release details once most users patched.

Quotes/Excerpts:

Quote

A flaw in Chrome's implementation of the FileReader API allowed sites to break out of their sandbox and execute native code. To make matters worse, Google said the exploit was being actively used before the company fixed it. The fix is included in Chrome 72.0.3626.121 for Android and desktop platforms. If the update hasn't already rolled out to you, you should manually check for it.

Quote

Chrome users, make sure you’ve got the very latest version. The version you want is 72.0.3626.121, released at the start of March 2019. To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help. The reason that even the Chrome team are wading in with you’d-better-update warnings is the recent appearance of a zero-day security vulnerability, dubbed CVE-2019-5786. Google says it is “aware of of reports that an exploit […] exists in the wild.” Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment. Google says: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader. It looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE. There doesn’t seem to be a workaround, but if you make sure you’re up to date, you don’t need one because the bug will be squashed.

 

My Thoughts:
Apparently Google REALLY wants everyone to get this update NOW. I would assume that this may be being spread using social media or other quick methods. This issue affects all OS versions of Chrome and has apparently been exploited since at least late February before this patch was released. While exact details have yet to be revealed, I'm assuming this allows full-on RCE of file reading, writing, and overriding to a critical portion of Windows or even any part of the disk in general. This could easily be paired with other OS zero-days to easily compromise a computer from a website. I'll be waiting for details

Edited March 8, 2019 by rcmaehl
Update with additional news

[ARikozuM]

Any info on this affecting Chromium? 

[TheBean]

f

[rcmaehl]

5 minutes ago, ARikozuM said:

Any info on this affecting Chromium? 

I haven't seen any details on Chromium, but I'm update the OP if I see anything.

[Sauron]

8 minutes ago, ARikozuM said:

Any info on this affecting Chromium? 

 

2 minutes ago, rcmaehl said:

I haven't seen any details on Chromium, but I'm update the OP if I see anything.

I would assume it does, the software is almost identical. It's a good idea to update just in case if you use chromium.

[Guest]

Major exploits in other software and operating systems is ok however, by google, to blab out to everyone.

[Drak3]

5 minutes ago, floofer said:

Major exploits in other software and operating systems is ok however, by google, to blab out to everyone.

Yeah, everything about them is hypocritical.

[ZacoAttaco]

38 minutes ago, rcmaehl said:

A flaw in Chrome's implementation of the FileReader API allowed sites to break out of their sandbox and execute native code...

 

According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader. It looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.

Uh oh, that doesn't sound good. Thankfully mine is updated. Security is becoming a greater concern day by day.

[DrDerp]

Wait is Firefox a Chromium based Browser?

Regardless I am p concerned about this, why won't they tell people what is going on?

[straight_stewie]

1 hour ago, rcmaehl said:

While exact details have yet to be revealed, I'm assuming this allows full-on RCE of file reading, writing, and overriding to a critical portion of Windows or even any part of the disk in general. This could easily be paired with other OS zero-days to easily compromise a computer from a website. I'll be waiting for details

Once you can execute native code, you can do anything that a user space desktop application can do.

The Chrome exploit is most likely used as payload delivery for more nefarious and powerful tools.

[Dylanc1500]

10 minutes ago, DrDerp said:

Wait is Firefox a Chromium based Browser?

Regardless I am p concerned about this, why won't they tell people what is going on?

No, Firefox has been using Quantum since version 57. Previously to that it was using Gecko.

[Arika]

good thing i havne't used chrome in 4 years (except at work where i don't have a choice)

[LAwLz]

5 hours ago, rcmaehl said:

Apparently Google REALLY wants everyone to get this update NOW.

I think you're reading a bit too much into this.

The lead developer of Chrome on Twitter made a joking/humorous tween, and then went "Also, seriously, update your Chrome installs... like right this minute.".

All the stuff about full caps "NOW" and "Google really wants you to update!" is just completely made up quotes, and it's pretty disingenuous to put that in quotes and saying that the dev team is saying it.

 

5 hours ago, ARikozuM said:

Any info on this affecting Chromium? 

There is a 99% chance it does, as well as all other Blink based browsers like Opera, Vivaldi, Brave, etc.

 

5 hours ago, floofer said:

Major exploits in other software and operating systems is ok however, by google, to blab out to everyone. 

5 hours ago, Drak3 said:

Yeah, everything about them is hypocritical.

What the hell are you on about? Google gives other companies several months to fix the issue before disclosing that the vulnerability even exists to the public. In this case Google got to know about the vulnerability like a week ago, has developed a fix, is rolling it out and informing people to update while keeping the details out of the public until a slightly later date (so that people have time to update).

 

Google is acting exemplary here. Only a fool would say they are hypocritical or acting poorly.

 

 

5 hours ago, DrDerp said:

Wait is Firefox a Chromium based Browser?

It's not.

 

5 hours ago, DrDerp said:

Regardless I am p concerned about this, why won't they tell people what is going on?

They are. hey have told people that there is a vulnerability and that people should update Chrome.

What they are not telling people right now (but will in the future) is the details about how an attack can use this vulnerability. The reason why they aren't telling everyone this right at this moment is because that would enable more people with malicious intent to exploit the vulnerability before people are protected.

 

Releasing the details about how the security hole can be exploited makes no sense, and does nothing but make the situation worse right now.

If the lock on your door had a design issue allowing anyone to just unlock it, wouldn't you want your lock to be replaced before information about how to unlock it got passed out all the news? Same principle here. Fix the issue before telling everyone what the issue was, in order to minimize the number of victims.

[RejZoR]

One of good things nearly all browsers use Chrome engine. Oh wait, that's actually a bad thing...

[kuhnertdm]

This is pretty normal. It also makes total sense; if someone isn't gonna update when told that there's an RCE exploit, there's nothing that's gonna get them to update, even if you release what the exploit is.

 

13 minutes ago, RejZoR said:

One of good things nearly all browsers use Chrome engine. Oh wait, that's actually a bad thing...

 

This is also very true, and highlights one of the major problems of consolidating web traffic like what's been happening this past year. We've gone from the big four (Chrome/FF/Safari/IE and Edge) to three really, now that Edge is planning to start using the Chromium rendering engine and IE is being put into full "compatibility tool" status by Microsoft. Not only is this going to basically choke the life out of FF/Safari compatibility, since there's now a feedback loop resulting from "Most people use Chrome, so let's just make it Chrome-compatible", but now we're basically going to see Chrome walking around with a giant "FIND MY VULNERABILITIES" sign on its back, since they're now the prime target for finding exploits like this.

[rcmaehl]

5 hours ago, LAwLz said:

The lead developer of Chrome on Twitter made a joking/humorous tween, and then went "Also, seriously, update your Chrome installs... like right this minute.".

All the stuff about full caps "NOW" and "Google really wants you to update!" is just completely made up quotes, and it's pretty disingenuous to put that in quotes and saying that the dev team is saying it

I'll accept that. Give me just a bit to edit.

[RejZoR]

Really, Chrome, Safari, Opera, Vivaldi and now the new Edge, they are all the same thing. Only really different browsers are Firefox and Internet Explorer/Edge.

 

If anyone actually followed standards, we could have 300 browser engines and they'd all work fine. Instead, everyone is peddling their own bullshit which is why web devs had such hard time keeping things up. And don't think everything running Chrome makes anything better. Before, things had to be set as a standard, now Google just pushes shit out because they have a monopoly and the rest just have to keep up. Which is dumb given not even Google keeps up its own standards right.

[rcmaehl]

4 minutes ago, RejZoR said:

Really, Chrome, Safari, Opera, Vivaldi and now the new Edge, they are all the same thing. Only really different browsers are Firefox and Internet Explorer/Edge.

 

If anyone actually followed standards, we could have 300 browser engines and they'd all work fine. Instead, everyone is peddling their own bullshit which is why web devs had such hard time keeping things up. And don't think everything running Chrome makes anything better. Before, things had to be set as a standard, now Google just pushes shit out because they have a monopoly and the rest just have to keep up. Which is dumb given not even Google keeps up its own standards right.

Everything used to be "this page is best displayed on IE <version>" and IE had the monopoly, however no one converted their browser to the Trident web engine. Now, everything is "this page is best displayed on Chrome" AND web browsers are converting themselves to Chrome. Google has successfully done what MS attempted to do long ago.

[RejZoR]

Just now, rcmaehl said:

Everything used to be "this page is best displayed on IE <version>" and IE had the monopoly, however no one converted their browser to the Trident web engine. Now, everything is "this page is best displayed on Chrome" AND web browsers are converting themselves to Chrome. Google has successfully done what MS attempted to do long ago.

There's a lot of things people think they are the best just because Google makes them, but are really really dumb. Like the Chrome browser itself. I don't think I've seen a browser that's a bigger fail than Chrome itself. Maybe only IE because it was basic and useless. Chrome is fat, not even fast, needs 3 tons of extensions just to be half useful at which point it's an even fatter pig, usability design is retarded and so is clumsy idiotic "material" interface. And it's a privacy nightmare as cherry on top.

 

If I'd have to use Chrome based browser, I'd use Opera. Because it's actually designed well, is actually fast and comes with features out of the box so you basically need like 3-4 extensions where Chrome needs like 15 to even get to same level. And yet somehow Opera has by far the smallest user share. Why, I have no clue.

 

I'm currently back to Firefox and while it has few dumb things, it's quite functional and fast. And most privacy focused of them all. Too bad iOS dictates what engine browsers can use, so Firefox on iOS isn't really Firefox, it's more like Firefox skin on top of Safari. Which is super annoying, but can't do anything about it.

[rcmaehl]

1 minute ago, RejZoR said:

I'm currently back to Firefox and while it has few dumb things, it's quite functional and fast. And most privacy focused of them all. Too bad iOS dictates what engine browsers can use, so Firefox on iOS isn't really Firefox, it's more like Firefox skin on top of Safari. Which is super annoying, but can't do anything about it.

I want to switch back to firefox, but the reason I was originally using it was because I could modify it's appearance. I can no longer do that as of Mid 2018 along with a bunch of other functionality Firefox entirely killed off

[RejZoR]

Yeah, the fact you can't move all interface elements around is pretty retarded and that's actually going a bit longer back than just mid 2018. It got a lot more limited few years ago, Quantum just sealed the fate so to speak.

 

For me, closing of entire browser when closing the last tab was what really put me in rage mode. Opera thankfully didn't go with this Chrome idiocy, but Firefox did. Thankfully it's a flip of one setting in about:config page. With Chrome you need to use some half baked extension hacks that are all stupid and just don't work well.

[BabaGanuche]

4 hours ago, rcmaehl said:

I want to switch back to firefox, but the reason I was originally using it was because I could modify it's appearance. I can no longer do that as of Mid 2018 along with a bunch of other functionality Firefox entirely killed off 

You can still modify the the appearance of Firefox. This is my customized interface (with tabs below the address bar where they should be). There is a github project that has scripts that contain various customization.

 

https://github.com/Aris-t2/CustomCSSforFx

 

[Salv8 (sam)]

i'm still using version 70, i hate the new interface and google shouldn't be pushing it onto people

if i knew how to program in C++ i would develop a newer version of chromium with the old interface built in

[rcmaehl]

I have updated the OP with @domroderiguez's post. All content of the update is his.

[ZacoAttaco]

This was major news here in Australia, it made prime time news just because of the urgency Google stressed this update.

 

Good thing they caught onto this. It could be a devastating exploit if it can break out of the sandbox.