Google has credited two Kaspersky Labs researchers, Anton Ivanov and Alexey Kulaev, for discovering and reporting a vulnerability in the Chrome web browser, identified as CVE-2019-13720. Google classified the vulnerability as a “High Severity,” which is the most serious level affecting security. Chrome’s audio component is where the bug is found, and it is being described as a use-after-free flaw. Typically, when a program or application attempts to reference memory that has been wiped or replaced is when use-after-free vulnerabilities occur. Programs tend to crash when this happens, but other unintended scenarios can take place. Another Chrome zero-day was patched back in March and was also a use-after-free flaw. Early findings have not yet revealed whether the exploit that was announced yesterday is being used to launch attacks on individual Chrome users or if it’s part of a composite exploit chain.
Analyst Notes
Chrome users are being urged by Google to update to version 78.0.3904.87 as this vulnerability is of high severity and is being actively exploited. Most Chrome browsers are set to update automatically without prompting or requesting an update, but occasionally the browser is not updated fully until it is closed and re-started.
