Google updates Chrome to fix high-severity Blink engine flaw

Google has updated Chrome to fix a high-severity flaw that could enable hackers to carry out remote code execution (RCE) attacks. "The stable channel has been updated to 76.0.3809.132 for Windows, Mac, and Linux, which will roll out over the coming days/weeks," Srinivas Sista of Google Chrome announced in an online post.

The flaw, tracked as CVE-2019-5869, was uncovered on Monday by two security researchers, Luyao Liu and Zhe Jin from the Chengdu Security Response Centre of Qihoo 360. They reported the bug through Google's vulnerability disclosure process and were awarded $5,500 for doing so.

According to Google, this "use-after-free" flaw exists in the Blink browser engine that powers the Google Chrome and poses a "high" risk to large and medium government and business entities. While open-source, Blink was developed under the Google Chromium project and was rolled out in 2013.

The researchers who discovered the vulnerability in Blink warned that it could enable attackers to circumvent security restrictions, execute arbitrary code on the system, carry out DoS attacks, and steal sensitive user information.

All Google Chrome versions prior to 76.0.3809.132 are affected by the security flaw.

"Depending on the privileges associated with the application, an attacker could install programmes; view, change, or delete data; or create new accounts with full user rights," Moreover, it becomes easy for attackers to exploit the bug when a user visits a specially designed malicious webpage.

A "use-after-free" bug is a memory corruption issue in which an attempt to access the memory is triggered after the memory has been freed. Such an attempt may result in the crash of a programme or execution of some arbitrary code. According to Google, its Chrome 76.0.3809.132 update fixed three security bugs in total, although the company didn't reveal any further detail about other two bugs. Google had previously updated its Chrome browser for Windows, Mac and Linux (Chrome 76) in July. That update addressed more than 40 security issues in the browser.