Clement Lecigne of the company’s Threat Analysis Group reveals in a blog post that two zero-day vulnerabilities have been discovered in Google Chrome.
First reported on February 27th, Google was quick to release an update two days later on March 1st to address the issue. In all likelihood, your Chrome browser updated itself automatically, but if you want to check, go to Help > About Google Chrome, and make sure you’re on version 72.0.3626.121. If not, update right away.
As Chrome security engineer Justin Schuh explained in a series of tweets on Wednesday, this attack is different from previous attacks on Chrome because, rather than targeting Flash, it targets the Chrome code directly.
When Flash was the first exploit in the chain, Google could silently update the Flash plugin behind the scenes, and Chrome would automatically switch over to the updated plugin without any user intervention. On the other hand, this zero-day exploit requires the user to manually restart the browser, so even if the update is installed on your system, you still have to close and reopen the browser for it to take effect.
This link has more context on the 0day attack observed against Chrome. Separately, I want to expand on why it was important to call out this attack more prominently than previous 0day attacks against Chrome. [1/3] https://t.co/9rGkXa6BoI
— Justin Schuh 🗑 (@justinschuh) March 7, 2019
The (relatively) good news is that, as of yesterday, Google has “only observed active exploitation against Windows 7 32-bit systems,” so if you’re on Windows 10 (or even Windows 8), you’re probably in the clear. Nevertheless, there’s no point in taking any risks, so be sure that your browser is up to date, and if it isn’t, update today.