Google announced on Halloween that it addressed two severe vulnerabilities in Chrome on Windows, macOS, and Linux with the release of version 78.0.3904.87. The company also said in its announcement that it was "aware of reports that an exploit" for one of the vulnerabilities, CVE-2019-13720, already "exists in the wild."
Both of the issues were "use-after-free" vulnerabilities that occur when apps try to use memory that's no longer allocated to them. CVE-2019-13720 involved a use-after-free vulnerability in Chrome audio; CVE-2019-13721 was a use-after-free vulnerability in the PDFium utility that Chrome uses to manage PDF documents.
Kaspersky said it has "been unable to establish a definitive link with any known threat actors" so far. "There are certain very weak code similarities with Lazarus attacks," the company explained, "although these could very well be a false flag." (Which would mean someone imitated the Lazarus attacks to mislead researchers.)
Both companies advised Chrome users to install version 78.0.3904.87 as soon as possible. That shouldn't require user intervention, thanks to the browser's automatic update feature, but you can double-check which version of Chrome you're using by visiting the About Chrome page in the browser's Settings menu.
Google said it awarded Kaspersky's researchers $7,500 for the disclosure of CVE-2019-13721; the reward for CVE-2019-13720 hasn't been determined. More information about the company's vulnerability disclosure and reward policies (at least as they relate to its browser) can be found on the Chrome Security Page.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.