Google gave Chrome users a Halloween scare on Thursday, disclosing two critical security vulnerabilities, one of which was an actively-exploited zero-day.
The security issues were serious enough for the Cybersecurity and Infrastructure Security Agency (CISA), an agency under the Department of Homeland Security, to issue a warning urging users to update their browsers.
"Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild," the notice says.
Google published a blog post with more information on the security vulnerabilities. It states that the zero-day (with tracking number CVE-2019-13720) was a use-after-free bug in Chrome's audio component. The other security issue (CVE-2019-13721) affects the PDFium library, which is used to generate and view PDF files in the browser.
A use-after-free vulnerability is a memory-corruption flaw that can be used by hackers to execute rogue code.
More specific details about these two flaws won't be released until "a majority of users are updated with a fix," as per Google's policies. The company further notes, "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."
Anton Ivanov and Alexey Kulaev, two researchers at Kaspersky, were credited for reporting the zero-day exploit on October 29. The second vulnerability was uncovered by bug hunter bananapenguin, who received a $7,500 bounty.
How to protect yourself
Google is now aware of the issues and working on an update to patch any vulnerabilities. The update is expected to arrive in the coming days or weeks.
"The stable channel has been updated to 78.0.3904.87 for Windows, Mac, and Linux, which will roll out over the coming days/weeks," Google wrote in its blog post.
When the update arrives, an update arrow will appear in the top-right corner of your browser. Press on that button as soon as it arrives. You can also manually search for an update by selecting Settings>About Chrome. Once you've updated and relaunched the browser, you should be safe from these vulnerabilities.