Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day.
“Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild,” Google engineers said in a blog post announcing the new v78.0.3904.87 release.
The actively-exploited zero-day was described as a use-aster-free bug in Chrome’s audio component.
Google credited Anton Ivanov and Alexey Kulaev, two malware researchers from Kaspersky, with reporting the issue.
Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences.
Back in March, Google patched another Chrome zero-day (CVE-2019-5786 in Chrome 72.0.3626.121), which at the time was being used together with a Windows 7 zero-day (CVE-2019-0859, fixed in the April Patch Tuesday). In April, Kaspersky said both exploits were used together by a yet-to-be-named APT (a term used to describe a nation-state hacking group).
The March Chrome zero-day was also a use-after-free vulnerability. It is unclear if this recent Chrome zero-day is used by itself to launch attacks on Chrome users, or is part of a more complex exploit chain, like the March attacks.
A Kaspersky spokesperson was not immediately available for comment on this issue.
Chrome 78.0.3904.87 is available for Windows, Mac, and Linux. The release will slowly roll out to all Chrome users in the coming weeks but users can trigger a manual update right now by visiting the browser’s Help > About Google Chrome section.