Chrome Zero Day Bug | Google Chrome On Attack

CHROME ZERO DAY - It takes a lot to scare anyone on Halloween night, however, Google Chrome specialists were frightened enough to give a dire update declaration for the program's overall stages. So, what gave Google the shakes?

The appropriate response isn't one however two security vulnerabilities, one of which has a zero-day exploit out in the wild as of now.

Google affirms updates are turning out to fix a zero-day Chrome exploit that is in the wild

HERE'S WHAT IS KNOWN SO FAR

The October 31 revelation from Google affirmed that the "stable channel" work area Chrome program is being updated to version 78.0.3904.87 over the Windows, Mac, and Linux stages.

This urgent update will start rolling out "over the coming days/weeks," according to Google. Similar to ongoing Windows 10 security alarms encouraging not to introduce an update, Chrome clients ought to guarantee they do introduce this one.

Via HAK5

At this moment in time, it is proving hard to find out much specific detail about either of the vulnerabilities concerned, other than the fact that one of the two being fixed by the update is already being exploited in the wild.

Google Said That This Is Because:

"Access to bug subtleties and connections might be kept limited until a greater part of clients are updated with a fix. We will likewise hold confinements if the bug exists in an outsider library that different tasks correspondingly rely upon yet haven't yet fixed."

WHAT IS THE GOOGLE CHROME ZERO-DAY EXPLOIT?

What is known is that the one that Google has said the exploit exists in the wild is for the CVE-2019-13720 Powerlessness. This was reported by two Kaspersky researchers, Anton Ivanov and Alexey Kulaev, on October 29.

According to a U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) statement, the Google update

" Vulnerabilities That An Invader Could Exploit To Take Control Of System,"

- As Far As The Detail Goes.

Via LANSWEEPER

GOOGLE PUBLISHED A BLOG POST

Google published a blog post with more information on security vulnerabilities. It states that the zero-day (with tracking number CVE-2019-13720) was a use-after-free bug in Chrome's audio component. The other security issue (CVE-2019-13721) affects the PDFium library, which is used to generate and view PDF files in the browser.

A use-after-free vulnerability is a memory-corruption flaw that can be used by hackers to execute rogue code.

For Better Preview download it via [Long pressing the image or right-clicking it]

More specific details about these two flaws won't be released until "a majority of users are updated with a fix," as per Google's policies. The company further notes, "We will also retain restrictions if the bug exists in a third party library that other projects similarly, depend on, but haven’t yet fixed."

HOW SERIOUS ARE THESE CHROME ZERO-DAY VULNERABILITIES?

Although any vulnerability that is given a high severity rating has to be taken seriously, there remain different levels of risk for average users and those likely to be of interest to nation-state hackers for example.

Unlike recent Android security alerts including the now infamous Joker malware, it would appear that the real-world risk isn't too critical for most people.

"For me, it's relatively low risk, with Google quickly acknowledging the vulnerabilities,"

- Mike Thompson, an application security specialist,

"it's another day at the 'zero-day' office were in my humble opinion, the likelihood of any real damage is minimal."

John Opdenakker, an ethical hacker, agrees that it's good to see Google acting so quickly,

"Particularly as far as the one that's already been exploited in the wild is concerned,"

- He Says.

Having done some further digging, as ethical hackers have a habit of doing, Opdenakker says, "this most severe vulnerability can only be exploited via specially crafted websites," which means, "the average user shouldn't lose any sleep."

MITIGATION ADVICE

That said, both Opdenakker and Thompson also advise users to ensure the Chrome browser update is installed as soon as possible to mitigate any risk.

This should happen automatically over the coming days and weeks; however, I would advise Chrome users to manually trigger the update process using the "Help About Google Chrome" menu option.

"Google has discharged Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an invader could exploit to take control of the system. One of these vulnerabilities (CVE-2019-13720) was recognized in exploits in the wild,"

- The Notice Says

HOW TO PROTECT YOURSELF

Google is now aware of the issues and working on an update to patch any vulnerabilities. The update is expected to arrive in the coming days or weeks.

"The stable channel has been updated to 78.0.3904.87 for Windows, Mac, and Linux, which will turn out over the coming days/weeks,"

- Google Wrote In Its Blog Post

For Better Preview download it via [Long pressing the image or right-clicking it]

When the update arrives, an update arrow will appear in the top-right corner of your browser. Press on that button as soon as it arrives. Once you've updated and relaunch the browser, you should be safe from these vulnerabilities.

NOTE:

The update should appear automatically, but if it hasn't popped up yet you can manually apply it by navigating to Help > About Google Chrome in the browser menu. Once installed, the threat is neutralized and you can continue to use Chrome as normal.

CONCLUSION

There's thought to be well over a billion people using Chrome, which shows you just how critical it is to close these security holes quickly. If nothing else, this proves why automatic updates are so important for software connected to the internet.