Google Discloses Severe Vulnerabilities in Chrome

Google announced on Halloween that it addressed two severe vulnerabilities in Chrome on Windows, macOS, and Linux with the release of version 78.0.3904.87. The company also said in its announcement that it was "aware of reports that an exploit" for one of the vulnerabilities, CVE-2019-13720, already "exists in the wild."

Both of the issues were "use-after-free" vulnerabilities that occur when apps try to use memory that's no longer allocated to them. CVE-2019-13720 involved a use-after-free vulnerability in Chrome audio; CVE-2019-13721 was a use-after-free vulnerability in the PDFium utility that Chrome uses to manage PDF documents.

The vulnerabilities were discovered by Kaspersky researchers. They gave the exploit for CVE-2019-13720 a far more interesting name: Operation WizardOpium. According to Kaspersky's blog post, the exploit was found embedded in a "Korean-language news portal" used to deliver malware via malicious JavaScript scripts.

Kaspersky said it has "been unable to establish a definitive link with any known threat actors" so far. "There are certain very weak code similarities with Lazarus attacks," the company explained, "although these could very well be a false flag." (Which would mean someone imitated the Lazarus attacks to mislead researchers.)

Both companies advised Chrome users to install version 78.0.3904.87 as soon as possible. That shouldn't require user intervention, thanks to the browser's automatic update feature, but you can double-check which version of Chrome you're using by visiting the About Chrome page in the browser's Settings menu.

Google said it awarded Kaspersky's researchers $7,500 for the disclosure of CVE-2019-13721; the reward for CVE-2019-13720 hasn't been determined. More information about the company's vulnerability disclosure and reward policies (at least as they relate to its browser) can be found on the Chrome Security Page.