Security loophole was discovered in Google Chrome browser, now fixed

Kaspersky researchers recently discovered a zero-day vulnerability CVE-2019-13720 in Google Chrome. The vulnerability would insert a malicious JavaScript code on the main page, further checking if the victim's system could be infected. Upon matching the criteria, the attacker could exploit the loophole through the Google Chrome browser. The attack would then check if the Google Chrome version 65 or later is in use.

Once exploited, it could provide an attacker with a Use-After-Free (UaF) condition. This particular condition is dangerous for the fact that it can further lead to code execution scenarios. Researchers call the exploit 'Operation WizardOpium.' According to them, similarities in the code point to a potential connection between the campaign and Lazarus attacks. The targeted website has a profile, which is similar to the one that was previously discovered in DarkHotel attacks.

“The finding of a new Google Chrome zero-day in the wild once again demonstrates that it is only collaboration between the security community and software developers, as well as constant investment in exploit prevention technologies, that can keep us safe from sudden and hidden strikes by threat actors,” said Anton Ivanov, a security expert at Kaspersky.

Meanwhile, Google has released Chrome version 78.0.3904.87 for Windows, Mac and Linux.

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Google Chrome's Srinivas Sista said in his blog post.

Google Chrome security tips

-- Make sure your Google Chrome browser is up-to-date. Ensure to install the Google patch for the new vulnerability as soon as it is available to download and install.

-- Update all software other software installed on your system. This way, the attack won't spread across other areas on your computer system.

-- Researchers recommend users to have Vulnerability Assessment and Patch Management tools installed on their system to automate these processes.

-- Researchers recommend your security team to have access to the most-recent cyber threat intelligence.

-- Understanding and implementation knowledge of the basics in cybersecurity hygiene is recommended.

READ | 67% of companies stay quiet on cyber-security incidents, here's why

READ | Xhelper malware infects 45,000 devices over the past 6 months