Google has credited two Kaspersky Labs researchers, Anton Ivanov and Alexey Kulaev, for discovering and reporting a vulnerability in the Chrome web browser, identified as CVE-2019-13720. Google classified the vulnerability as a “High Severity,” which is the most serious level affecting security. Chrome’s audio component is where the bug is found, and it is being described as a use-after-free flaw. Typically, when a program or application attempts to reference memory that has been wiped or replaced is when use-after-free vulnerabilities occur. Programs tend to crash when this happens, but other unintended scenarios can take place. Another Chrome zero-day was patched back in March and was also a use-after-free flaw. Early findings have not yet revealed whether the exploit that was announced yesterday is being used to launch attacks on individual Chrome users or if it’s part of a composite exploit chain.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In