This week Google has made a revelation for their users regarding a zero-day vulnerability in the Google Chrome browser under active exploitation. The present report marks the second Chrome zero-day of this year under active exploitation.
Chrome Browser Zero-Day
Reportedly, researchers from Kaspersky Anton Ivanov, and Alexey Kulaev, have caught a zero-day vulnerability in the Chrome browser. What makes their findings significant is the active exploitation of the bug by hackers.
Specifically, the researchers caught a use after free vulnerability (CVE-2019-13720) in the Chrome browser. They further found the bug under exploit by some yet undetermined attackers.
The researchers call these attacks ‘Operation WizardOpium’. These attacks seem specifically aimed at the newer Chrome browser versions. The researchers found some of the attacks checking the browser version for being Chrome 65 or newer however further review of the code revealed another check for the existence of Chrome 76 or 77 version.
The technical details of the analysis are available in Kaspersky’s blog post.
Patch Rolling Out Soon
Upon discovering the flaw, the researchers reported the matter to Google who acknowledged the zero-day. In a recent post, Google has confirmed the bug alongside another use-after-free vulnerability (CVE-2019-13721).
The tech giant has labeled both the vulnerabilities as high-severity bugs. They have also confirmed the active exploitation of CVE-2019-13720.
Nonetheless, they have assured releasing patches for the bugs soon with the release of Chrome 78.0.3904.87 stable channel for Linux, Mac, and Windows.
For now, Google has not revealed many details about the flaws and the exploit in an attempt to protect the users.
The users of Google Chrome must ensure updating their devices as soon as the patched version rolls out. They can also trigger a manual update by clicking on the ‘About Google Chrome’ option under the ‘Help’ menu.
Earlier this year, Google revealed another use after free vulnerability in Chrome browser (CVE-2019-5786) actively exploited to target Windows 7. Microsoft later released a fix for the flaw following Google’s patch with Chrome 72.0.3626.121.
Let us know your thoughts in the comments.