In a blog post announcing the stable channel update of Chrome's 78.0.3904.87 release, the engineers revealed that they knew the zero-day was being exploited in the wild and thanked the security researchers who brought this matter to their attention, saying:
“Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
- New Android zero-day affects millions of devices
- Zero-day exploits found in Android VoIP
- New vBulletin zero-day could infect thousands of sites worldwide
The zero-day vulnerability was discovered being exploited in the wild by Anton Ivanov and Alexey Kulaev, two security researchers from Kaspersky.
The zero-day itself was described as a use-after-free vulnerability in Chrome's audio component. Use-after-free vulnerabilities are memory corruption bugs that result when an application tries to reference memory that had previously been assigned to it but was freed or deleted.
Generally these types of vulnerabilities cause a program to crash but they can also lead to other unintended consequences as was the case with another Chrome zero-day Google patched back in March. That vulnerability, CVE-2019-5786 was used alongside a Windows 7 zero-day which was also patched back in April. According to Kaspersky, both exploits were used together by an unnamed nation-state hacking group.
At this time, it is still unclear as to whether this latest Chrome zero-day was used to launch attacks against Chrome users or whether it is part of a more complex exploit chain that exploits several vulnerabilities as was the case back in March.
- Also check out our complete list of the best antivirus software of 2019