Attention readers, with the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are actively exploiting in the wild to hijack computers.
Without revealing technical details of the vulnerability, the Chrome security team only says that both issues are use-after-free vulnerabilities, one affecting Chrome’s audio component (CVE-2019-13720) while the other resides in the PDFium (CVE-2019-13721) library.
Discovered and reported by Kaspersky researchers Anton Ivanov and Alexey Kulaev, the audio component issue in the Chrome application has been found exploited in the wild, though it remains unclear at the time which specific group of hackers.
“Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild,” Google Chrome security team said in a blog post.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The use-after-free vulnerability is a class of memory corruption issues that allows corruption or modification of data in the memory, enabling an unprivileged user to escalate privileges on an affected system or software.
Thus, both flaws could enable remote attackers to gain privileges on the Chrome web browser just by convincing targeted users into visiting a malicious website, allowing them to escape sandbox protections and run arbitrary malicious code on the targeted systems.
The use-after-free issue is one of the most common vulnerabilities discovered and patched in the Chrome web browser in the past few months.
Just over a month ago, Google released an urgent security update for Chrome to patch a total of four use-after-free vulnerabilities in different components of the web browser, the most severe of which could allow remote hackers to take control of an affected system.
In March this year, Google also released an emergency security update for Chrome after miscreants were found actively exploiting a similar use-after-free Chrome zero-day vulnerability in the wild affecting the browser’s FileReader component.
To patch both security vulnerabilities, Google has already started rolling out Chrome version 78.0.3904.87 for Windows, Mac, and Linux operating systems.
Although the Google web browser automatically notifies users about the latest available version, users are recommended to manually trigger the update process by going to “Help → About Google Chrome” from the menu.
Besides this, Chrome users are also recommended to run all software on their systems, whenever possible, as a non-privileged user in an attempt to diminish the effects of successful attacks exploiting any zero-day vulnerability.