Google has released urgent updates for 4 vulnerabilities. One of the vulnerability is rated Critical and the other three are rated High in severity. Google fixes four chrome security vulnerabilities using a vulnerability management tool. However, as per the Chrome advisory, the vulnerabilities are :
- CVE-2019-13685 : A critical Use-after-free issue in UI.
- CVE-2019-13688 : A Use-after-free issue in media.
- CVE-2019-13687 : A Use-after-free issue in media.
- CVE-2019-13686 : A Use-after-free issue in offline pages.
It is interesting to note that all the four vulnerabilities in Chrome are Use-after-free issues. A Use-after-free, identified as CWE-416 by Mitre, is an attempt to access a memory block after it has been freed which can lead to a direct memory crash, usage of unexpected values or execution of arbitrary code. This memory crash can be patched using a patch management tool.
An attacker who tries to exploit these vulnerabilities can disclose sensitive information, bypass security restrictions, crash the application or even execute arbitrary code in the context of the browser by redirecting them to a specially crafted webpage.
Chrome has released security updates for these vulnerabilities. Also, the Chrome security team has not yet disclosed the complete details of the vulnerabilities to prevent any cases of exploitation. The details would soon be available when a majority of the users have updated to the latest versions of Chrome.
Affected Products
Google Chrome versions before 77.0.3865.90
Impact
Successful exploitation allows an unprivileged attacker to remotely execute code, leak sensitive data or cause denial of service condition.
Solution
Please refer to this KB Article which is now replaced by KB Article to apply the patches using SanerNow.