Google has released an emergency update for Chrome with a warning that an exploit exists in-the-wild. There are two vulnerabilities rated high in severity and one of them has been reported as a zero-day. CVE-2019-13721 and CVE-2019-13720 are use-after-free issues in PDFium library and audio component respectively. An attacker can trick a user into visiting a malicious website and therefore bypass sandbox protections to execute arbitrary code on the target machine.

The advisory states that CVE-2019-13720 has been actively exploited. Kaspersky reported and analyzed the Chrome zero-day and gave the moniker Operation WizardOpium to these attacks. While there is no concrete evidence about the threat actor using the zero-day, they presume that there could be overlaps with the Lazarus and DarkHotel attacks.

As detailed by Kaspersky, the attackers carried out a watering-hole attack by compromising a Korean-language news portal. The main page is infected with a malicious script which in turn loads another script from an attacker controlled website. This script performs certain checks to determine the system configuration and browser version before infection. Then a few requests are made to the server to download chunks of exploit code, URL to the image file that embeds a key for the final payload and an RC4 key used for decryption of exploit code.

The exploit utilizes a race condition between two threads which arises due to an improper  synchronization between them. This leads to a use-after-free condition which gives way for an attacker to execute arbitrary code. The use-after-free leaks the 64-bit addresses which can be used to figure out the location of heap/stack thereby bypassing the ASLR. An attacker can determine the heap layout for successful exploitation. The exploit gives an attacker read/write permissions by allocating or freeing up the memory which is used to craft a special object that can be used with WebAssembly and FileReader to achieve arbitrary code execution.


Affected Products

Google Chrome versions before 78.0.3904.87

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.

Please refer to this KB Article to apply the patches using SanerNow.

We strongly recommend users of Google Chrome to install the latest security updates without delay.


Operation WizardOpium exploiting Chrome Zero-Day
Article Name
Operation WizardOpium exploiting Chrome Zero-Day
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *