see also uaf vulnerability, google releases chrome emergency security update

Posted by santillano at 2020-04-10

Desperately loading

Not long ago, Google put a security measure of computer version of chrome on Android. However, it is clear that the security of chrome needs to be strengthened. Just yesterday, Google released an emergency update for two vulnerabilities of Chrome browser.

The main content of chrome 78.0.3904.87 update is to fix two security vulnerabilities that can affect chrome audio program (cve-2019-13720) and hidden in pdfium directory (cve-2019-13721), respectively. According to Google, both are high-risk vulnerabilities of use after free, and one of them has been widely used by hackers to invade and hijack computers.

UAF vulnerability is one of the memory corruption problems. It allows illegal users to enhance their rights in the system or software by destroying or modifying memory data.

Although Google didn't provide specific information about the two vulnerabilities, Kaspersky, a network security company, revealed that the hacker hacked into a Korean news website and hid the malicious code in the form of a water pit attack, waiting for chrome users to get a move.

It is said that after the user's recruitment, the code will install the first batch of malware on the target computer by taking advantage of cve-2019-13720 vulnerability, and then the malware will connect to a remote command-and-control server to download the rest.

First shellcode

Therefore, both of the above mentioned vulnerabilities allow hackers to run malicious code arbitrarily in the target system by enticing Chrome browser users to access malicious networks, bypassing sandbox checks.

In fact, this is not the first time the UAF vulnerability has been found on chrome. Just a month ago, Google also released an emergency security update designed to fix four UAF vulnerabilities, the most serious of which can even allow hackers to fully control the infected computer. This makes the UAF vulnerability the most common security vulnerability in chrome in recent months.