CVE-2019-13720: new Chrome 0-day bug exploited in the wild

Yesterday, Google engineers released an urgent update for the Chrome browser to patch an actively exploited zero-day.

The release of Chrome 78.0.3904.87 fix two high severity vulnerabilities, one affecting Chrome’s audio component (CVE-2019-13720) while the other resides in the PDFium (CVE-2019-13721) library, and both could enable remote attackers to gain privileges just by convincing targeted users into visiting a malicious website, allowing them to escape sandbox protections and run arbitrary malicious code.

Kaspersky researchers Anton Ivanov and Alexey Kulaev discovered that the audio component issue is already exploited in a campaign dubbed Operation WizardOpium: some “very weak code similarities” suggest a possible connection to the Lazarus Group, a threat actor linked to North Korea.




Related posts

  1. My Weekly RoundUp #128
  2. SweynTooth: Bluetooth vulnerabilities expose many BLE devices to attacks
  3. CVE-2019-18426: WhatsApp bug allowed remote access to users computers with just a text message
  4. Security researcher found a hardcoded SSH Key in Fortinet SIEM appliances
  5. CVE-2019-19781: my clippings on the infamous Citrix Netscaler vulnerability