It takes a lot to scare anyone on Halloween night, but Google Chrome engineers were spooked enough to issue an urgent update announcement for the browser across all platforms. So, what gave Google the heebie-jeebies? The answer is not one but two security vulnerabilities, one of which has a zero-day exploit out in the wild already.
Here’s what is known so far
The October 31 disclosure from Google confirmed that the “stable channel” desktop Chrome browser is being updated to version 78.0.3904.87 across the Windows, Mac, and Linux platforms. This urgent update will start rolling out “over the coming days/weeks,” according to Google. Unlike recent Windows 10 security alerts advising not to install an update, Chrome users should ensure they do install this one.
At this moment in time, it is proving hard to find out much specific detail about either of the vulnerabilities concerned, other than the fact that one of the two being fixed by the update is already being exploited in the wild.
Google said that this is because: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on but haven’t yet fixed.”
What is the Google Chrome zero-day exploit?
What is known is that the one that Google has said the exploit exists in the wild is for the CVE-2019-13720 vulnerability. This was reported by two Kaspersky researchers, Anton Ivanov and Alexey Kulaev, on October 29. According to a U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) statement, the Google update “addresses vulnerabilities that an attacker could exploit to take control of an affected system,” but that’s as far as the detail goes.
Both this and CVE-2019-13721, are “use-after-free” vulnerabilities, which exploit memory corruption to escalate privileges on the attacked system. For CVE-2019-13721 this impacts the PDFium library that is involved with generating and viewing PDF files. It is the other, CVE-2019-13720, that has been reported as being exploited in the wild and this impacts the Chrome web browser audio component.
How serious are these Chrome zero-day vulnerabilities?
Although any vulnerability that is given a high severity rating has to be taken seriously, there remain different levels of risk for average users and those likely to be of interest to nation-state hackers for example. Unlike recent Android security alerts including the now infamous Joker malware, it would appear that the real-world risk isn’t too critical for most people.
“For me, it’s relatively low risk, with Google quickly acknowledging the vulnerabilities,” Mike Thompson, an application security specialist, “it’s another day at the ‘zero-day’ office where, in my humble opinion, the likelihood of any real damage is minimal.”
John Opdenakker, an ethical hacker, agrees that it’s good to see Google acting so quickly, “particularly as far as the one that’s already been exploited in the wild is concerned,” he says.
Having done some further digging, as ethical hackers have a habit of doing, Opdenakker says, “this most severe vulnerability can only be exploited via specially crafted websites,” which means, “the average user shouldn’t lose any sleep.”
That said, both Opdenakker and Thompson also advise users to ensure the Chrome browser update is installed as soon as possible to mitigate any risk.
This should happen automatically over the coming days and weeks; however, I would advise Chrome users to manually trigger the update process using the “Help | About Google Chrome” menu option.
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at firstname.lastname@example.org if you have a story to reveal or research to share.