Two serious zero-day vulnerabilities have been fixed in the emergency patch released yesterday by Google, and one of them has been exploited by hackers. The Chrome Security Team said both vulnerabilities are in a use-after-free form that allows hackers to execute arbitrary code on vulnerable devices. One of the vulnerabilities exists in the audio component of the browser, while the other exists in the PDFium library. The three major platform versions, Windows, macOS and GNU/Linux are affected.
[$7500] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12
[$TBD] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
These two vulnerabilities allow an attacker to execute arbitrary code in the browser, obtain sensitive information, bypass security restrictions and perform unauthorized operations or cause a denial of service. Google acknowledges that hackers have exploited the CVE-2019-13720 vulnerability to launch attacks on Chrome users. Detailed information about security vulnerabilities is not yet available.
After Google fixed two vulnerabilities. Researchers from Kaspersky revealed more technical details about a vulnerability (CVE-2019-13720). “So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,” Kaspersky said.
Chrome users, please upgrade your browser as soon as possible!