Hey all - sadly, we’ve tracked down a shiny new Chrome zero day that appears to be impacting basically every version of Chrome past 76.0.3809.132. As usual, the details, severity, and even the fix are a bit murky, but Google has released a new patch.
For the security nerds, it’s listed under CVE-2019-5869, but don’t go looking - nothing has been published. The exploit allows for arbitrary code execution when a user visits an infected website, targeting Chrome’s Blink rendering engine. Once your employees visit an infected site (which they’ll do immediately), code can run and do various nefarious things. If you’re really out of date, this could in theory be combined with recent Chrome browser escape vulnerabilities, potentially allowing access to the system itself.
Automox has some cool new tools to get you patched - namely the Software page. The new Software page allows you to search by Chrome and sort by date, showing a list of exactly which machines are fully up to date and which are not, by version. A big Patch Now button also brings all machines into compliance, killing the guesswork. In classic Google fashion, no severity or other data has been posted, so you will see this vulnerability with an “Other” rating in Automox until they update their data. Your Patch All policies will also catch and patch, but if you use Severity or other filters, we recommend using the Software page to get immediately up to date.
There’s a blog if you want to know more, but you can also message me here to walk through this exploit, how we detect and resolve it, and using the new Software page!