Share This:

Advisory Overview

Google Chrome is an extremely popular Internet Browser produced and distributed by Google for free. Within the last week, two vulnerabilities have been found in the browser that can allow an attacker to execute scripts and other actions without user authorization by using specially crafted web pages that exploit these vulnerabilities. One of the two vulnerabilities has been seen “in the wild,” meaning that the exploit is currently being used to attack consumers and businesses. The type of attack used by these vulnerabilities – known as “use-after-free” flaws due to how the attacks operate – can allow an attacker to install remote access tools or perform other hostile actions. Google has patched both flaws in the latest version of Chrome on Windows, Mac, and Linux. It is important to note that these updates will not be applied while the browser is open and/or running. Users should check for updates and then restart the Chrome browser by completely closing the application (not simply closing open windows) and restarting it.

To check for Chrome updates:

  1. On your computer, open Chrome.
  2. At the top right, click More (three vertical dots)
  3. Click Help -> About Google Chrome.

The About Google Chrome page will indicate if an update is needed. If so, allow the update to finish downloading, then restart Chrome to complete the process.

Technical detail and additional information

What is the threat?

CVE-2019-13720 and CVE-2019-13721 were discovered and patched by Google in Chrome for Windows, Mac, and Linux on or about October 30th, 2019. These two vulnerabilities both allow for a threat actor to create a use-after-free condition that can permit a successful exploit to place and execute arbitrary code on a victim machine after the victim visits a site that hosts the exploit code. 13720 has been spotted in the wild, with at least one site showing evidence of active exploit of the vulnerability.

Why is this noteworthy?

Chrome is extremely popular both in the business and personal world. Even when Chrome is not the officially-supported browser of a business, many end-users will download and use Chrome as their primary browser anyway, leading to large install bases of Chrome in many businesses. These vulnerabilities can be exploited by the user visiting an attack site – which may be using obfuscation techniques to hide its actual URL – and do not require user authorization to be successfully exploited.

What is the exposure or risk?

As a successful exploit can allow a threat actor to run arbitrary code on the victim machine, this can result in RAT or other dangerous software being deployed as the payload. This poses an extreme risk to business, as it can allow for machine and/or account takeover if the payload lands successfully.

What are the recommendations?

Google has patched both vulnerabilities in the latest version of Chrome. Users and businesses should immediately upgrade to the latest version via the native Software Update tools built into Chrome. It is important to note that Chrome will not successfully complete the update process while the browser is running. As users routinely leave Chrome and other browsers open for very long periods of time (sometimes for the entire uptime of the machine in question), users are not protected from these vulnerabilities while the browser continues to run. Users should be advised to look for the update, allow the update to run, and then fully close Chrome to complete the process. This should be done immediately and does not require a reboot of the machine – only that the browser is closed to complete the update. It should also be noted that Chrome browsers check periodically for updated software, but may not yet have checked for this update. Users should manually check for updates to ensure there are no updates currently available.

To check for Chrome updates:

  1. On your computer, open Chrome.
  2. At the top right, click More (three vertical dots)
  3. Click Help -> About Google Chrome.

References:

For more in-depth information about the recommendations, please visit the following links:

For more information, please contact our Security Operations Center.


Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

All Posts Website

Leave a reply

Your email address will not be published. Required fields are marked *