Late last week, Google announced an urgent Google Chrome browser update (78.0.3904.87) for Windows, Mac, and Linux platforms. The update includes security fixes for two identified vulnerabilities within the current Chrome browser. Very little information about the two vulnerabilities has been released at this time; however, Google noted that one of the exploits is actively being exploited “in the wild”.
Vulnerability researchers use a variety of techniques, both automated and manual, for finding vulnerabilities in software. Threat actors, such as cyber criminals and intelligence agencies, are often in a race to find these vulnerabilities before they are identified by researchers and vendors. When a researcher identifies a vulnerability being exploited “in the wild”, this means that it was discovered by malicious threat actors first. Researchers then reverse engineer network traffic, malicious software, and other evidence of exploitation in order to identify the vulnerability and notify the vendor.
What We Know About the Google Chrome Vulnerabilities
The U.S. Dept. of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) said in a statement that the new Google Chrome browser update “addresses vulnerabilities that an attacker could exploit to take control of an affected system.” Some vulnerabilities allow for remote exploitation and control of compromised workstations. A likely scenario for an attack would involve an attacker emailing a link to a malicious website or setting up malicious advertising on sites that victims are likely to visit. The malicious site or ad would then contain crafted data that exploits the vulnerability and takes control of the target’s computer.
Both vulnerabilities “exploit memory corruption to escalate privileges on the attacked system,” said Forbes. The first Chrome vulnerability (CVE-2019-13720) was reported by two researchers as being actively exploited “in the wild”, impacting the browser’s audio component. The other identified vulnerability is CVE-2019-13721 which impacts the browser’s PDFium library which affects the generation and viewing of PDF files. Memory corruption vulnerabilities are the result of common programming errors that can be difficult to identify.
Updating Your Chrome Browser
We recommend updating your Google Chrome browser as soon as possible. While the update should happen automatically, we suggest verifying the update has been made by visiting the “Help > About Google Chrome” option in your browser’s menu.
All software is subject to vulnerabilities like these, especially software as complex and widely used as all of the major web browsers. For the software you use on a daily basis, learn the procedure for checking for new versions, and periodically make sure that you are up to date.