Web application security specialists reported the appearance of two dangerous vulnerabilities in the Chrome browser, in addition to the active exploitation of one of these flaws to take control of the victims’ computers.
Security flaws are present in the browser version for Windows, Mac, and Linux operating systems, and its users must update Chrome to the latest version (78.0.3904.87), released just a few hours ago.
Although no further details were reported on these security flaws, Chrome’s web application security experts mentioned that both are variants of the vulnerabilities known as use-after-free. The first of these flaws (tracked as CVE-2019-13720) affects the browser audio component, while the second (CVE-2019-13721) resides in the PDFium library.
According to web application security experts, a use-after-free vulnerability is a condition that allows hackers to corrupt or modify data in a system’s memory, which generates the necessary conditions to perform a privilege escalation in the targeted environment.
Exploiting both vulnerabilities would allow remote threat actors to gain high privileges in Chrome, plus they only require tricking target users into visiting a malicious website, which will be used to bypass the sandbox environment and execute their arbitrary code on the victims’ system.
Regarding the reports, CVE-2019-13720 was discovered and reported by Anton Ivanov and Alexey Kulaev, researchers from security firm Kaspersky Labs. The flaw was found in the wild, although nothing is yet known about the hackers responsible for its exploitation.
After Google received the bug report, and after the release of the security patch, some technical details of the detected attack were revealed. As reported, hackers compromised a news site of South Korean origin, planted the exploit on the site and hacked the computers of users of this site who entered from an affected version of Chrome.
According to the experts from International Institute of Cyber Security (IICS), this exploit installs the malware to abuse the vulnerability, connecting with an encoded C&C to download the final payload. Users are strongly advised to update Chrome as soon as possible.