If you use the Google Chrome browser (and you probably do), it's time to update if you can.
An emergency patch has been pushed out to Windows, macOS and Linux users to fix a serious vulnerability that could permit full system takeover by a malicious website. Android and iOS are not affected.
"Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser," wrote the non-profit Center for Internet Security in an advisory Tuesday (Aug. 27). "Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights."
Chrome version 76.0.3809.132 patches this flaw and two others for which we have fewer details, although the update is being rolled out in stages, so you might not be able to install it yet. (The vulnerability has not yet been exploited in the wild.)
How to update Chrome
To check to see if you're up to date or whether an update is available for your machine, click the three vertical dots in the upper right corner of the browser window, scroll down to and hover your mouse cursor over "Help", then click "About Google Chrome" in the fly-out dialogue box.
Alternatively, you can just paste "chrome://settings/help" into the address bar.
A new webpage will open stating the version of Chrome you're on. In most cases, if an update is available for your machine, the update process will begin automatically and you'll only have to restart the browser. Some Linux users may have to wait for the update to come as part of their Linux distribution's official update process.
Because the flaw is in Blink, the open-source rendering engine that puts webpages together in your browser, it is likely that other browsers that use Chromium, the open-source underpinnings of Chrome, will also be affected. Those browsers include Brave, Opera, Vivaldi and the beta version of Microsoft's Edge, although we've not yet seen advisories from them about this flaw.
The Center for Internet Security's advisory noted that the malicious impact would be minimized if the affected user account did not possess administrative rights. Tom's Guide has long advised Windows users to create limited-privilege accounts, without the ability to modify programs, for daily use, as this often limits how much damage malware can do.
The flaw was reported to Google by Zhe Jin and Luyao Liu of Chinese antivirus maker Qihoo 360, and the researchers collected $5,500 as a bug bounty for their efforts.