Google encourages consumers to get the latest Chrome browser update in order to prevent security problems related to high severity vulnerability.
According to Google, the update has already been released for most browsers. The stable channel has been upgraded for the most common operating systems, including Windows, Mac, and Linux.
However, Google does not disclose any details about the bug.
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain (disclosure) restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
OWASP Foundation also provides a description of the vulnerability which reveals that bugs like this are widely exploited by cyber criminals and enables them to operate arbitrary code within the contexts of a targeted app. Also, a failed exploitation generates a denial of service condition.
In addition, the analysis provided the information that the flows is in the Internation Components for Unicode C/C++. Risk Based Security reported that:
Ultimately, while it does affected V8 and Chrome, the flawed code is not Google’s. The vulnerability, a NUL-terminated buffer handling buffer overflow, was made public Oct. 11.
The vulnerability was uncovered and reported by a security researcher at Ant-Financial Light-Year Security Lab Yu Zhou.
The researcher also received an award for $3,000 for the discovery via Google’s award program called bug bounty.
The update about the patch was also announced by the United States Computer Emergency Readiness Team which encourages users and administrators to review the Google updates and to release and apply the update.
The update for a mobile version of Chrome for Android was also released. This update solved the issue with a memory leak bug and also a major crash issue.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using Address Sanitized, Memory Sanitizer, Undefined Behavior Sanitizer, Control Flow Integrity, lib Fuzzer or AFL.