Google Chrome rendered unsafe with discovery of two new vulnerabilities
One of the vulnerabilities, its detector cybersecurity company Kaspersky claims is actively being used in attacks.
There have been two new vulnerabilities detected in the Google Chrome web browser, one of which its detector cybersecurity company Kaspersky claims is actively being used in attacks. Allocated as 'CVE-2019-13720' and 'CVE-2019-13721', Google has classified them to be zero-day vulnerabilities.
For the uninitiated zero-day vulnerabilities are previously unknown software bugs that can be exploited by attackers to inflict serious and unexpected damage. CVE-2019-13720 has been detected by Kaspersky experts in ‘Operation WizardOpium’.
Under the vulnerability, a malicious JavaScript code is inserted in the main page, which in turn, loads a profiling script from a remote site. This checks if the victim's system could be infected by examining versions of the browser’s user credentials. The exploit gives an attacker a Use-After-Free (UAF) condition, which is very dangerous because it can lead to code execution scenarios. The vulnerability tries to exploit the bug through the Google Chrome browser and the script checks if version 65 or later is being used.
The new exploit is used in attacks that leverage a waterhole-style injection in a Korean-language news portal.
Certain similarities in the code point to a possible link between this and North Korean cybercriminal group Lazarus’ attacks. Additionally, the profile of the targeted website is similar to what has been found in previous DarkHotel attacks, which have recently deployed comparable false flag attacks.
The second vulnerability the second of the two vulnerabilities affects PDFium, a platform developed by Foxit and Google. PDFium provides developers with capabilities to leverage an open-source software library for viewing and searching for PDF documents. Like the first bug, this flaw is also a use-after-free vulnerability. However, there have been no reports of it being exploited by cybercriminals for malicious purposes yet.
Google has said that it will roll out an update to patch the vulnerability in the coming days. However, according to cybersecurity company McAfee’s Chief Consumer Security Evangelist, Gary Davis users should keep all their applications with automatic update facilities always enabled, for greater safety.