As if it wasn't spooky enough on Halloween night, the Google Chrome technicians were further frightened to announce a critical update notification regarding various browser platforms. Then, what gave Chrome the creeps? Two security vulnerabilities were discovered, out of which one is a Zero-Day exploit in the open!
So, what is the whole story?
According to Google, "the current Chrome browser (desktop version) is being refreshed to 78.0.3904.87 (a new version) throughout various platforms like Mac, Linux, and Windows. The critical update will begin to work soon. The chrome users are highly suggested to add these updates for safety, unlike the Windows 10 security updates (in which the users were told not to)." In the present time, it is not simple to obtain out any particular information about the two exploits involved, except that the Zero-Day exploit is already out in the wild affecting the update.
"Access to flaws and links can be restrained until most of the users are renewed with a solution. The constraints are also said to be kept under hold until the bug that exists (only if) within other party's archives on which alike projects are depending," justifies Google for the actions taken.
About the Zero-Day Exploit-
The vulnerability is known as CVE-2019-13720, according to Google. The threat was described on October 29 by Anton Ivanov and Alexey Kulaev, researchers at Kaspersky. "As far as we know, the Chrome update by Google directs loopholes that an intruder could misuse to hack an exploited computer if wanted," said Infrastructure Security Agency (CISA) and U.S. Department of Homeland Security Cybersecurity, in a statement.
Both the vulnerabilities misuse memory exploitation to intensify chances on the engaged computer. The CVE-2019-13721 vulnerability affects the PDFium library which is responsible for creating PDF files. But it is the latter, CVE-2019-13720, which is said to be misused in open which has an impact on audio components and Google Chrome. "Luckily, the threat is not very severe as Google has promptly recognized the flaws. The chances of any real damage in the' Zero-Day room' are least" says Mike Thomspon, applications security specialist.