- Update your Chrome browser immediately, as a flaw discovered by Kaspersky Labs is under active exploitation.
- Not many technical details have been released yet, as people need time to update their software.
- The two flaws are similar to another actively exploited zero-day that was discovered back in March.
Chrome users on macOS, Linux, and Windows should update their browser immediately to version 78.0.3904.87. Anything older than that is plagued by two "use-after-free" vulnerabilities that are being exploited in the wild right now. The first one is "CVE-2019-13720" and concerns the browser’s audio component, while the second one is "CVE-2019-13721" and it lies on the PDFium. According to Google, the flaw that exists in the audio component is being actively exploited in the wild right now and can lead to computer hijacking.
While no technical details have been disclosed yet, the nature of the vulnerabilities is that of the attacker accessing memory after it has been freed. This can open the door to arbitrary remote code execution, which can potentially lead to a step-by-step system takeover. In other cases, Chrome or one of its tabs may be forced to crashing conditions. Google says that after the majority of the users upgrade to the latest version, they will consider the possibility of sharing more technical information regarding the flaws. Moreover, there’s also the case of those using Chrome-based browsers like Brave, Vivaldi, and Opera, who will get the bug-fixing update a bit later in time.
The exploited bug was discovered and reported to Google by Anton Ivanov and Alexey Kulaev, who are researchers at Kaspersky Labs. These new flaws remind us of a similar situation that plagued the v72 branch. Back then, CVE-2019-5786 was again a "use-after-free" vulnerability, which was again under exploitation at the time of its discovery. Google couldn’t tell for how long the attackers have been exploiting that bug, and the case is the same today. This practically means that Chrome users could have been affected by this attack for many months now, and no one even knew about it.
Chrome and Chrome-based browsers are taking care of the updates and the fetching of available patches automatically. However, if for any reason you are still using an older version, go to Chrome's setting panel and select "About Chrome". There you’ll see the browser version and the software will check for any available updates.