Google has issued a warning to Chrome users to urgently upgrade their browser, with Chrome 78.0.3904.87 release, containing a patch for two highly severe vulnerabilities, one of which is already been actively exploited in the wild by attackers to hijack PCs.
According to the Chrome security team, both issues are use-after-free vulnerabilities, with the first affecting Chrome's audio component (CVE-2019-13720) while the second vulnerability resides in the PDFium (CVE-2019-13721) library, for Windows, Mac, and Linux computers.
While a use-after-free vulnerability is class of memory corruption issues that allows modification of data in the PC memory, enabling an attacker to gain privilege to an affected system. And both flaws could allow remote attackers to gain privileges on Chrome browser by convincing targeted users into visiting maliciously crafted website, enabling them to run arbitrary code on the affected system.
The discovery of the flaws was credited to Kaspersky researchers, Anton Ivanov and Alexey Kulaev, with the audio component in Chrome application already been exploited in the wild, though it is not yet clear which specific hackers or group are targeting the flaw.
Kaspersky also traced the exploit to a compromised Korean-language news portal, which the attackers haven installed the first stage malware on the target systems after exploiting Chrome vulnerability (CVE-2019-13720), then connects to a remote command-and-control server to download final payload.
Google also released urgent security patches for Chrome to fix other use-after-free vulnerabilities in different components of the web browser, with the most severe of which allow remote hackers to take control of affected system.
Chrome users are advised to update the software on their systems, and whenever possible, as a non-privileged user in order to diminish the effects of any attack exploiting the zero-day vulnerability. Albeit, Chrome browser update happens automatically, and notifies users about the latest available version, but still users are recommended to trigger the update process by going to menu: Help → About Google Chrome.