Update Google Chrome for critical vulnerability / safecomputing.umich.edu

Thu, 03/07/2019 - 12:00

This information was sent to U-M IT staff groups on March 7, 2019. Please share this information in your unit as appropriate. If you are responsible for managing university machines with Chrome, update Chrome to the latest version.

Summary

The Google Chrome web browser needs to be updated to version 72.0.3626.121 (or newer) for Windows, Mac, and Linux. This update fixes a critical security vulnerability that carries the risk of escalated privileges on a machine.

Problem

Older versions of Chrome can allow attackers to gain elevated privileges on a user’s computer, potentially allowing an attacker to install malicious software or acquire sensitive data.

Threats

Google has received reports that an exploit for the CVE-2019-5786 vulnerability exists in the wild.

Affected Versions

Chrome versions prior to version 72.0.3626.121 on Windows, macOS, and Linux.

Action Items

Update Chrome to version 72.0.3626.121 (Official Build).
You may need to check Chrome for pending updates that have not yet been installed.

While most people have Google Chrome set to update automatically, updates to Google Chrome normally happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, you may be missing important security updates.

Check the icon in the upper right corner of any Chrome window to see if updates are pending. If there are pending updates, install them.

Technical Details

A critical use-after-free security vulnerability exists in Chrome. It is a memory corruption flaw that carries the risk of escalated privileges on a machine where data in memory was modified through an exploit.

Information for Users

MiWorkspace machines will be updated as soon as possible. It is best to set Chrome on your own devices to update automatically. Be aware that automatic updates to Chrome normally happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, check for pending updates to Chrome and update if necessary.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

References

Stop What You're Doing and Update Google Chrome (PC Mag, 3/7/19)
Google Confirms Serious Chrome Security Problem - Here's How To Fix It (Forbes, 3/7/19)
Google urges users to download and install the latest Chrome update ASAP (MSPoweruser, 3/7/19)
Update Google Chrome Right Now (Lifehacker, 3/6/19)
Serious Chrome zero-day – Google says update “right this minute” (Naked Security, 3/6/19)
Chrome Releases: Stable Channel Update for Desktop (Google Chrome, 3/1/19)