A critical vulnerability that could lead to system compromise has been confirmed by Google
LightRocket via Getty Images
In the same week that Microsoft confirmed seven critical vulnerabilities for Windows 10 users, Google has confirmed what it refers to as a critical security vulnerability. According to a stable channel update notice published by Google Chrome technical program manager, Prudhvikumar Bommana, April 15, the critical vulnerability relates to a “use after free” problem in the speech recognition component. That, however, is as far as the information coming out of Google itself regarding this vulnerability goes. The vulnerability, CVE-2020-6457, is described as “reserved” at the National Vulnerability Database (NVD) that is the U.S. government repository of common vulnerabilities and exposures. Neither of these things is unusual in the circumstances, restricting the full details of a security issue such as this is commonplace to allow the majority of users to get the problem fixed first.
What is the impact of this Chrome use after free vulnerability?
Talking to security researchers has unearthed some further information, though, none of which will be of use to a potential attacker and so can be revealed here. The vulnerability, reported to Google on April 4 by Qihoo 360 Alpha Lab researchers, is within the speech recognition component of Google Chrome and affects users of the desktop client for Windows, Mac and Linux users. If a threat actor were to successfully convince someone into visiting a malicious web page, the use after free memory corruption error could be triggered. A use after free vulnerability is one where attempts to access memory after it has been allocated elsewhere, freed in other words, can cause a crash. This could then lead to a compromise of your computer as the attacker can then execute arbitrary code on your system. Because the attack complexity of this particular vulnerability is thought to be low but the potential consequences high, with an attacker taking control of your computer, Google has rated this as a critical security issue.
CISA encourages users to update now
The vulnerability is critical enough for the Cybersecurity and Infrastructure Security Agency (CISA), which is a standalone federal agency under the U.S. Department of Homeland Security (DHS) oversight, to “encourage” users to apply the necessary updates. https://www.us-cert.gov/ncas/current-activity/2020/04/16/google-releases-security-updates
Protecting against CVE-2020-6457
There are, at the time of writing and to the best of my knowledge, no in the wild reports of this vulnerability being exploited by threat actors. Which is the first bit of good news to report. The second is that Google has fixed the vulnerability with a Chrome update, hence the announcement it has made. This update will roll out to Chrome desktop users on the Windows, Mac and Linux platforms, “over the coming days and weeks,” according to Google. Personally, I would not wait a few days and instead perform the update manually if it has not already hit your desktop.
You can check to see what version you currently have by going to Help|About Google Chrome. You are looking for Chrome 81.0.4044.113 to be safe. The very act of checking will trigger Chrome to update itself, after which you just need to restart your browser to be fully protected against CVE-2020-6457.