Google Reveals Severe Zero-Day Vulnerabilities in Chrome
Google has released a software update to the Chrome browser that patches two severe zero-day vulnerabilities that could allow the browser to be hijacked.
Zero-Day Vulnerabilities Found in Google Chrome
Google has released a software update to the Chrome browser that patches two zero-day vulnerabilities that could potentially allow the browser to be hijacked by attackers.
One flaw affects the browser’s audio component (CVE-2019-13720) while the other vulnerability affects the PDFium library (CVE-2019-13721).
Google is urging users to update to the latest version as soon as possible. This includes Windows, Mac, and Linux devices as the version rolls out over the next few days.
“This version addresses vulnerabilities that an attacker could exploit to take control of an affected system, “ stated the Cybersecurity and Infrastructure Security Agency alert. “One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.”
Prevent Arbitrary Code Execution
The main bug (CVE-2019-13720) is a user-after-free flaw – a memory corruption flaw where an attempt is made to access memory after it has been freed. This typically causes a slew of malicious impacts from causing programs to become instable as well as potentially leading to execution of arbitrary code; sometimes even enabling full remote code execution capabilities.
The second bug (CVE-2019-13721) was discovered in the PDFium library, which was developed by Foxit and Google and provides developers with capabilities to leverage an open-source software library for viewing and searching PDF documents. This vulnerability is also considered use-after-free but has received no reports of it being exploited in the wild. It was disclosed by a researcher under the alias “bananapenguin” who received a $7500 bounty through Google’s vulnerability disclosure program.
These are considered the second round of Chrome zero-days detected this year, since back in March, Google patched another Chrome zero-day (CVE-2019-5786) which was being used together with a Windows 7 zero-day (CVE-2019-0859).
Google has stated that the update to the browser will be rolling out to users automatically over the coming days; however, all Chrome users should opt for a manual update as soon as possible.
How to Manage Chrome Vulnerabilities
Leveraging a systems management solution with an up-to-date library of third-party products could easily alleviate the issue across organizations. Syxsense provides Chrome updates same-day and allows for an exceptionally smooth process with a Patch Deploy task.
Simply target all devices for the newest Chrome 78 update and the pre-packaged detection will determine if devices do/do not require the update; if they require it, the update will be automatically applied and the vulnerability remediated.
Experience the Power of Syxsense
Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.