Developers of the Google Chrome web browser issued an emergency update on Halloween. The update is meant for all stable versions of the popular web browser across all platforms, which is a clear indicator of the severity of the update. Apparently, the security update is meant to counter not one but two security vulnerabilities. What’s more concerning is that one of the security flaws has a zero-day exploit out in the wild already.
Kaspersky Exploit Prevention, an active threat detection component of Kaspersky products caught a new unknown exploit for Google’s Chrome browser. The team reported their findings to the Google Chrome security team and included a Proof of Concept (PoC) as well. After a quick review, Google was clearly convinced that there was indeed an active 0-Day vulnerability existent in the Google Chrome web browser. After quickly escalating the issue to the highest priority, Google issued an emergency update to the web browser. The security vulnerability has been tagged as ‘High Severity 0-Day Exploit’ and affects all the different variants of the Chrome browser across all the different operating systems.
Kaspersky Detects ‘Exploit.Win32.Generic’ 0-Day Vulnerability Which Affects All Google Chrome Browser Versions:
Google confirmed on Halloween that the “stable channel” desktop Chrome browser is being updated to version 78.0.3904.87 across the Windows, Mac, and Linux platforms. Unlike the updates that begin rolling out gradually, the latest update should have a rather accelerated deployment. Hence it is critical that Chrome browser users ensure they install the latest update without any delay. In a rather cryptic message, Google issued an advisory that said,
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
🎃 0-Day Alert!#Google is warning Windows, Mac, #Linux users to update their #Chrome browser (to 78.0.3904.87) immediately due to a security vulnerability (CVE-2019-13720) that attackers are actively exploiting in the wild to hijack computers.https://t.co/tw7Msba4kb#infosec pic.twitter.com/QJj7ojqEDU
— The Hacker News (@TheHackersNews) November 1, 2019
While Google is being rather incoherent about the security vulnerabilities within Chrome, Kaspersky has unofficially named the attack ‘Operation WizardOpium’. Technically, the attack is an Exploit.Win32.Generic. The maker of antivirus, firewall, and other network security products is still exploring the potential of the attack and the identities of the cybercriminals who may have launched the attack. The team claims some of the code bears some resemblance to the Lazarus attacks, but nothing is ascertained.
Google Acknowledges Chrome Zero-Day Exploit And Issues Emergency Update To Counter Threat:
Google has noted that the exploit currently exists in the wild. The company added that the exploit is for the CVE-2019-13720 vulnerability. Incidentally, there’s one other security vulnerability, which has been officially tagged as CVE-2019-13721. Both the security flaws are “use-after-free” vulnerabilities, which exploit memory corruption to escalate privileges on the attacked system. Apparently, the CVE-2019-13720 security vulnerability is being exploited in the wild. It reportedly impacts the Chrome web browser audio component.
— name.com (@namedotcom) November 1, 2019
Acknowledging both the security threats, Google issued an emergency update for the Chrome browser, but the update appears to be limited to the stable channel at present. The update reportedly contains only the patch for the bugs. Kaspersky is actively engaged in investigating the threat risk, but it is not immediately clear who may have exploited the 0-day vulnerability.