Google Discloses Chrome Flaw Exploited in the Wild

Google warns exploits in the wild against a Use After Free vulnerability in Chrome’s audio component.

UPDATE

Google is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.

The flaw (CVE-2019-13720), discovered by security researchers Anton Ivanov and Alexey Kulaev at Kaspersky, exists in Google Chrome’s audio component. Google is urging users to update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as it rolls out over the coming days.

“This [updated] version addresses vulnerabilities that an attacker could exploit to take control of an affected system,” according to a Thursday Cybersecurity and Infrastructure Security Agency (CISA) alert. “One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.”

The bug (CVE-2019-13720) is a use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code – or even enable full remote code execution capabilities.

Costin Raiu, director of Global Research and Analysis Team at Kaspersky, wrote on Twitter “a few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google.”

Kaspersky researchers are calling the exploits Operation WizardOpium. The attack leveraged a waterhole-style injection on a Korean-language news portal, they said.

A malicious JavaScript code was inserted in the main page, which then loaded a profiling script from a remote site. Researchers said that the exploit “used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a Use-After-Free condition that is very dangerous because it can lead to code execution scenarios.”

“So far, we have been unable to establish a definitive link with any known threat actors,” they said in a Friday analysis. “There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.”

Google and researchers remain tight lipped intentionally. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s alert. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said in its advisory.

Use-after-free flaws have plagued Google’s Chrome browser as of recent. In August, Google disclosed a high-severity use-after-free vulnerability (CVE-2019-5869) in Blink, an open-source browser engine that powers the Google Chrome browser, that could enable remote attackers to execute code and carry out other malicious attacks.

Google on Thursday also disclosed another high-severity vulnerability (CVE-2019-13721) in PDFium, which was developed by Foxit and Google and provides developers with capabilities to leverage an open-source software library for viewing, and searching PDF documents.

This flaw is also a use-after-free vulnerability but there are no reports of it being exploited in the wild. It was disclosed by a researcher under the alias “banananapenguin” who received a $7500 bounty through Google’s vulnerability disclosure program for the discovery.

This post was updated on Nov. 1 at 4pm EST to reflect further details about the detected exploit.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.