Google engineers issued a warning against vulnerabilities in Chrome, one of which has a zero-day exploit. Announced on Halloween night, the security problems affect versions for all platforms, said Forbes.
According to Forbes, it is difficult to find out more about the specifics of the vulnerabilities. However, experts declared that one of them is already being taken advantage of by malicious parties.
Google clarified that the lack of information about the issues available serves to protect the security of users. The company said that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.” Google also noted that it “will retain restrictions if the bug exists in a third party library that other projects similarly depend on but haven’t yet fixed.”
However, Forbes disclosed that the zero-day exploit exists for the CVE-2019-13720 vulnerability. Kaspersky researchers Anton Ivanov and Alexey Kulaev found and reported the issue on October 29.
The other security flaw, called CVE-2019-13721, shows similarities to the first one. They both exploit memory corruption to gain privileged access to the target system. CVE-2019-13721 affects the PDFium library, which is used to generate and view PDF files. Meanwhile, CVE-2019-13720, the one with the existing exploit, affects the Chrome web browser’s audio component.
The high-severity issues are deemed “relatively low-risk” by application security specialist Mike Thompson. According to him, Google’s quick acknowledgment and action against the bugs made the issues low risk. Moreover, he noted that “the likelihood of any real damage is minimal.”
White hate hacker John Opdenakker also commended Google for acting promptly, especially as it addresses the zero-day exploit.
To address the issues, Google experts are slated to release an update for version 78.0.3904.87 for Windows, Mac and Linux operating systems. Users are advised to install the update which addresses the issues.
The United States’ Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released a statement saying that the update “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Meanwhile, Opdenakker and Thomson both reminded users to update their browsers as soon as possible. Forbes noted that the system will automatically execute the update. However, individuals can choose to manually update their browser by clicking the three dots, going to Help and selecting About Google Chrome. This will update the app and prompt a relaunch.