Update Google Chrome: Zero-Day Vulnerability Being Actively Exploited in the Wild

A recently discovered vulnerability in Google Chrome is being actively exploited by hackers.

The vulnerability was discovered by Kaspersky Lab security researchers Anton Ivanov and Alexey Kulaev who reported the flaw to Google. The flaw – CVE-2019-13720 – is a high-severity use-after-free memory corruption vulnerability in the audio component of the Chrome browser. If exploited the flaw could cause the browser to crash and would allow the remote execution of arbitrary code, which could lead to a full takeover of a vulnerable system.

Kaspersky Lab discovered an exploit for the Chrome 0-day flaw had been developed and was being used in real-world attacks. At the time of writing, little information has been released about the flaw. Google will disclose further information when the majority of users have updated to the latest version of Chrome – version 78.0.3904.87 – which has been released for Windows, Mac, and Linux and will be rolled out over the next few days. Should Google determine that the flaw also exists in a third-party library that other projects depend on but haven’t yet fixed, the release of further information about the flaw will be delayed.

Ethical hacker, John Opdenakker, has done some digging and said the flaw can only be exploited if a user is convinced to visit a specially crafted website, which will limit the potential for the flaw to be exploited.

The latest Chrome version also includes a fix for another use-after-free memory corruption vulnerability – CVE-2019-13721. This flaw affects PDFium, which is used to leverage an open-source software library for viewing and searching PDF files. No exploits for this flaw are believed to have been developed. The flaw was identified and reported to Google by security researcher, banananapenguin.

Chrome users have been advised to update their browser as soon as possible to prevent exploitation of the vulnerability. While the update will occur automatically, users have been advised to apply the update manually to ensure they are protected.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news