Google Threat Analysis Group Clement Lecigne, a security expert, has discovered a new and highly serious vulnerability in Google Chrome that allows a potential attacker to run arbitrary code and take control of the computer. Vulnerability is assigned CVE-2019-5786 and affects Chrome, Windows, Linux, and macOS versions.

More detailed technical details on vulnerability have not yet been published to give users enough time to update. However, the available fragments indicate that the error is somewhere in the FileReader API and all that is needed to exploit it is to lure the user to a malicious page. Unfortunately, at this point in time, Google has seen signs of active abuse of this vulnerability. 

The bug has already been fixed and users should update to 72.0.3626.121 without delay.

Massive data leak from the CallerID application Dalil App

Dalil App is a CallerID app for Saudi Arabia and other Arab users. For more than a week, its complete MongoDB database has been accessible to the world without any authentication. The database contains all application data including phone numbers, device information, user account details, GPS coordinates, activity records, and more. Almost 600GB of data is available for more than 5 million active users, and as more is being added, it is most likely a production system.

Security researchers have repeatedly informed application developers, but so far no correction has been made. One researcher even reports that an unknown attacker accessed the database at one point, encrypted some of the data and left a ransom request, but Dalil's IT team did not notice anything and the user data continued to be stored in a clearly compromised database.

Google has posted an unrecovered bug in the macOS kernel

Google Zero Security Researchers have released details and proof-of-concept exploit of unrecovered high-severity vulnerabilities in the macOS core. They came to the publication after Apple was unable to fix this for 90 days from the first non-public error report. The error lies in the possibility of bypassing the copy-on-write mechanism to exploit attack vectors through unauthorized memory manipulation. According to available information, Apple is already working to correct a bug that should be included in the next release.