Last week Google discovered a zero-day vulnerability in Chrome that the Google Threat Analysis Group determined was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-5786, resides in the web browsing software and impacts all major operating systems, including Windows, Apple macOS and Linux.
If you are unfamiliar with the term, a zero-day vulnerability results in attack attempts to exploit a vulnerability on the day it is discovered, before the software developer is able to provide a patch.
To mitigate the potential for exploitation, Google experts revealed that the CVE-2019-5786 flaw is a use-after-free vulnerability in the FileReader component of the Chrome browser. A 'use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. Simply put, if a user opens a PDF in a compromised browser, an attacker can hijack the browser and use it to get into the system and wreak havoc.
Google quickly released a patch for Chrome browsers to address this, so the fix is relatively simple: update Google Chrome immediately to the latest version (72.0.3626.121 (Official Build)) of the web browsing application.
How Duo Helps
When faced with this type of exploit, security teams in organizations must address it quickly and efficiently.
So, how can Duo help?
1. Gain visibility into your exposure with Duo’s Device Insight, which lets you see which users’ devices are out-of-date and at risk. In this instance, Device Insight can show you which devices are running an out-of-date version of the Chrome browser.
2. Then you can enable Duo’s browser policy to warn users if their browser is out-of-date.
3. Duo’s browser policy also allows you to block out-of-date browsers and show users which browsers and versions are allowed. Duo’s policies can be applied at various levels, including globally, group specific and application specific, allowing you to choose where best to apply the appropriate controls.