View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 1, 2019

Google Scrambles to Patch Chrome Bug After Exploits Spotted in the Wild

Rapid patch comes after reports of exploitation

By CBR Staff Writer

A previously unseen Chrome bug has been caught being exploited “in the wild”, with Google pushing out a patch this week to its billions of users within a day of the vulnerability being reported to it by security researchers.

The first, CVE-2019-13720, is a “use-after-free” vulnerability (a class of memory corruption bug) in the browser’s audio component and was reported by Anton Ivanov and Alexey Kulaev from Kaspersky Labs on October 29.

The second, CVE-2019-13721 is a use-after-free bug in PDFium (an open source software library to view, search, and print PDF documents that is bundled into Chrome) and was reported by “bananapenguin” (a quick search by Computer Business Review suggests that this is may be a Japanese programmer) on 2019-10-12.

Google said it is “aware of reports that an exploit for CVE-2019-13720 exists in the wild”, thanking “all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

It is not disclosing further details about the bugs until “a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

As Travis Biehn, the research lead at Synopsys, told Computer Business Review earlier this year in response to another memory corruption bug in Chrome: Google Chrome is some of the most robustly engineered C and C++ code on the planet, the security teams working on Chrome are world-class.”

He added: “[But] despite Google’s security program… it still suffers from memory corruption attacks related to the use of C and C++. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”

In other Chrome news, it is finally shipping its WebXR device API in the latest version of Chrome, 17 months after pushing out a beta release.

“Developers can now create immersive experiences for smartphones and head-mounted displays. Other browsers will be supporting these specs soon, including Firefox Reality, Oculus Browser, Edge and Magic Leap’s Helio browser” it said.

See also: Update Chrome “Right This Minute” Warns Google

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU