Google pushes out urgent Chrome update to patch actively exploited zero-day vulnerabilities
Users of Chrome are being urged to update their browsers as Google is rolling out a patch for two serious zero-day vulnerabilities, one of which is already being actively exploited.
The Chrome security team says that both vulnerabilities are use-after-free security issues which can be used to exploit arbitrary code. One vulnerability exists in an audio component of the browser, while the other can be found in the PDFium library. The Windows, macOS and Linux versions of Chrome are all affected.
- Mozilla is dropping support for sideloaded extensions in Firefox
- Google Chrome update to blame for unbootable Macs
- DoH! Google tries to clear up DNS-over-HTTPS confusion
The Center for Internet Security warns that "multiple vulnerabilities have been discovered in Google Chrome", and says that both CVE-2019-13720 and CVE-2019-13721 have a High severity rating, It goes on to explain that: "Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions".
In a blog post, the Google Chrome team says that version 78.0.3904.87 is being rolled out to the stable channel to address the problems:
This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$7500] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12
[$TBD] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild.
Because of the active exploitation of one of the vulnerabilities, full details of the security flaws are not being disclosed at the moment.