Google Discloses Chrome Zero-Day Security Exploit, Update Your Browser Now
If you rely on Google's Chrome browser to get around the web, be aware that an update is available that addresses a couple of "High" security threats. One of those—labeled CVE-2019-13720—is a zero-day vulnerability that is known to be actively exploited in the wild, though it is not clear to what extent nefarious individuals are leveraging it.
"Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google's security team stated in a blog post.
That one was discovered by Anton Ivanov and Alexey Kulaev, a pair of security researchers at Kaspersky Labs, and it will net them a bug bounty in an amount that is yet to be determined. The bug resides in Chrome's audio component and is of the use-after-free (UAF) variety, which deals with trying to access memory after it has been freed.
These types of bugs can have a number of unwanted side effects, such as causing a program to crash or, more severely, enabling a remote attacker to execute malicious code on a target system. Details on this specific bug in Chrome are in short order, but given the "High" severity rating, it's reason alone to update the browser.
The latest Chrome update also patches CVE-2019-13721, another High severity UAF bug, only this one deals with the browser's PDFium library. There is no mention of this one being exploited in the wild. However, the same potential risks apply to this bug as they do to the audio component bug. The person who found this one will receive a $7,500 bug bounty.
As of this writing, the latest version of Chrome in Windows is 78.0.3904.87. You can check which version you have installed (and manually update Chrome) by clicking on the three vertical dots in the upper-right corner, then navigate to Help > About Google Chrome. If there is an update available, Chrome will automatically begin downloading it, and you will be prompted to restart the browser to complete the installation.