CVE-2019-5786: chrome in the wild exploit 0day vulnerability alerts-a vulnerability alert-the black bar safety net

!

0x00 vulnerability background
Beijing 3 month 6 days, 360CERT monitoring to chrome release version update(72.0.3626.119->72.0.3626.121), fixes in the wild using CVE-2019-5786。 The vulnerability to harm is more serious, a greater impact.

0x01 vulnerability details
CVE-2019-5786 is located on the FileReader in the UAF vulnerability, by Google’s Threat Analysis Group of the Clement Lecigne to 2019-02-27 of the report, currently not released other details.
The comparison of the two versions of the source code, found third_party/blink/renderer/core/fileapi/file_reader_loader. cc there are some changes. In the return part of the result copy the ArrayBuffer to avoid on the same underlying ArrayBuffer of the plurality of references.
! [](/Article/UploadPic/2019-3/20193618498344. png)

0x02 safety recommendations
Use chrome users open chrome://settings/help page to see the current browser version, if not latest version(72.0.3626.121)will automatically check the upgrade, after the restart you can update to the latest version. Other use of the chromium core of the browser vendors also need to patch self-examination.
! [](/Article/UploadPic/2019-3/20193618498792. png)

0x03 timeline
2019-02-27 vulnerability is reported
2019-03-01 chrome 72.0.3626.121 release
2019-03-05 google indicates that the vulnerability is in the Wild use

0x04 reference links
https://chromium.googlesource.com/chromium/src/+/150407e8d3610ff25a45c7c46877333c4425f062^!/#F0