Google once again closes zero-day vulnerability in Chrome that is being actively abused

Google has updated its Chrome browser to fix two security vulnerabilities. One of the two vulnerabilities is actively exploited. Criminals can use this to obtain elevated rights within the browser to be able to penetrate systems.

These are two vulnerabilities of which Google has estimated the seriousness as ‘high’. The vulnerability labeled CVE-2019-13721 is a use-after-free issue in PDFium, found by someone with the alias banananapenguin. PDFium is Google’s open source project for displaying and displaying print previews of PDFs in Chrome.

The second vulnerability was found by two Kaspersky employees and also concerns use-after-free, but ‘in audio’. It is this vulnerability, designated CVE-2019-1372, from which Google has received indications that abuse is already taking place in practice.

Use-after-free vulnerabilities concern issues that allow manipulation of data in memory, allowing attackers to increase their privileges within software. With Chrome, this opens the way for targets to visit a manipulated site, acquire rights to get out of Chrome’s shielded sandbox, and then run code to take over systems running the browser, for example.

Google won’t release details “until a majority of users have updated with a fix.” The company also closed zero-day vulnerabilities in March. At the time, Google had evidence that these were being exploited as part of a chain of exploits to carry out attacks through Chrome. Today’s update brings the build version to Chrome 78.0.3904.87. By default, users receive it automatically.