Another Chrome Use-After-Free Flaw Disclosed
Google is warning users of a high-severity flaw in its Chrome browser that allows hackers to hijack computers. Anton Ivanov and Alexey Kulaev at Kaspersky, found the flaw in Google Chrome's audio component. Google is urging users to update to the latest version of Chrome, 78.0.3904.87. The new version fixes the flaws that a hacker could exploit to take control of an affected system.
The flaw, CVE-2019-13720, is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause a myriad of problems, from causing a program to crash, to executing arbitrary code or even enable full remote code execution capabilities.
The researchers at Kaspersky are calling the exploits Operation WizardOpium. The attack leverages a waterhole style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which then loads a profiling script from a remote site. Researchers said that the exploit uses a race condition bug between two threads due to missing proper synchronization between them. It gives a hacker an a Use-After-Free condition that can lead to code execution.
So far, researchers haven't been unable to establish a definitive link with any known groups. There are some code similarities with Lazarus attacks, but it is not definitive. The profile of the targeted website is similar to earlier DarkHotel attacks.
Google is limiting access to bug details and links until a majority of users are updated with the fix. Use-after-free flaws aren't new to Google's Chrome browser. In August, Google disclosed a high severity, use-after-free vulnerability ( CVE-2019-5869 ) in Blink that could enable remote hackers to execute code and carry out other malicious attacks.