Chrome Browser FileReader Vulnerability (CVE-2019-5786) | Zebra

Chrome Browser FileReader Vulnerability (CVE-2019-5786)

Google Chrome is a free internet browser provided with Zebra devices running GMS operating systems. 

On February 27th, 2019, Google announced it had uncovered a high-risk vulnerability within the browser, identified as CVE-2019-5786. A malicious actor could exploit the memory management within the Chrome FileReader, using Flash as the first exploit in a chain. There have been reports of active exploitation. Per Google: 

We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

Google issued a new Chrome release on March 1st to address this vulnerability. Additional information about the release can be found on Google's site.  

Zebra strongly recommends all customers running Chrome ensure their devices have automatically downloaded the latest Chrome release (72.0.3626.121 or later) and that devices have been restarted to apply the update. While most Chrome updates occur automatically, a system restart is required in this case. Additionally, devices where automatic updates have been disabled will need to be manually updated. 


Google has reported a second vulnerability related to Microsoft Windows to Microsoft. Per Google: 

The unpatched Windows vulnerability can still be used to elevate privileges or, combined with another browser vulnerability, to evade security sandboxes. Microsoft have told us they are working on a fix.

Zebra will continue to post information to this area as we are informed of recommended patches. 

Affected Products

Any Zebra device running Google Chrome browser software v. 72.0.3626.120 or earlier. 

Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.

Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.



Are you aware of a potential security issue with a Zebra Technologies product?