Web application security specialists reported the appearance of two dangerous vulnerabilities in the Chrome browser, in addition to the active exploitation of one of these flaws to take control of the victims’ computers.
Security flaws are present in the browser
version for Windows, Mac, and Linux operating systems, and its users must
update Chrome to the latest version (78.0.3904.87), released just a few hours
ago.
Although no further details were reported on
these security flaws, Chrome’s web application security experts mentioned that
both are variants of the vulnerabilities known as use-after-free.
The first of these flaws (tracked as CVE-2019-13720) affects the browser audio
component, while the second (CVE-2019-13721) resides in the PDFium library.
According to web application security experts,
a use-after-free vulnerability is a condition that allows hackers to corrupt or
modify data in a system’s memory, which generates the necessary conditions to
perform a privilege escalation in the targeted environment.
Exploiting both vulnerabilities would allow
remote threat actors to gain high privileges in Chrome, plus they only require
tricking target users into visiting a malicious website, which will be used to bypass
the sandbox environment and execute their arbitrary code on the victims’
system.
Regarding the reports, CVE-2019-13720 was
discovered and reported by Anton Ivanov and Alexey Kulaev, researchers from
security firm Kaspersky Labs. The flaw was found in the wild, although nothing
is yet known about the hackers responsible for its exploitation.
After Google received the bug report, and after
the release of the security patch, some technical details of the detected
attack were revealed. As reported, hackers compromised a news site of South
Korean origin, planted the exploit on the site and hacked the computers of
users of this site who entered from an affected version of Chrome.
According to the experts from International
Institute of Cyber Security (IICS), this exploit installs the malware to abuse
the vulnerability, connecting with an encoded C&C to download the final
payload. Users are strongly advised to update Chrome as soon as possible.
