November ’19 started with a scare as Google issued a disclaimer asking people to update their Chrome browser because of a security breakdown. The notice published by them stated that two “zero-day” exploits on their browser are vulnerable to cyber-attacks. It basically meant that a hacker can implement codes on your device before the original developer issues a fix. Anton Ivanov and Alexey Kulaev, two researchers from Kaspersky, a cybersecurity firm made this discovery.
The security alert read, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” It also stated that they would retain restriction if the bug persists in third party projects. The two vulnerabilities labelled as zero-day are ‘CVE-2019-13720’ and ‘CVE-2019-13721’. Both of them are use-after-free bugs and are categorized under high-severity threats.
A use-after-free condition gives hackers the chance to execute codes when the memory has been freed. He/she can cause a program to completely crash and execute arbitrary codes. They can also deploy full remote codes which could lead to catastrophic events such as losing user credentials.
In a world where data has become the new gold, this alert was a reality check. The search engine giant is involved in almost every login and these back doors gave miscreants an easy way into your privacy. Sources point out that the codes were similar and linked to a North Korean cybercriminal group.
To dig deeper into this subject, the plot deployed by hackers was as follows. A malicious code was inserted on the main page via the CVE-2019-13720 bug. It loaded a script from a remote site that checked whether the version of the browser is susceptible to move forward. Once the check was done, an exploit present in Chrome’s audio module gave raider a user-after-free condition for memory corruption.
The CVE-2019-13720 is also a similar type of bug but it existed in the PDFium. It’s a document management software developed by both Google and Foxit. It was discovered by the bug hunter Bananapenguin who received an undisclosed bounty. The search engine has assured PDFium and Chrome users that it will soon roll an update to fix these types of issues once and for all.
The last time something like this happened wasn’t too long ago. Earlier this year in March, Google Chrome possessed a memory management bug. Here the file reader was under active attacks while the patch was being performed by developers. The CVE-2019-5786 gave attackers an open door to go through Google security sandbox and run codes on the underlying OS. Cybersecurity has become a major concern for every corporation, big or small.
The millennials are dependent on sensitive technology and the statistics suggest that a hack takes place every 39 seconds. Cybercrime is rising at a staggering rate and it’s predicted that it would cost approximately $6trillion worth of damage by 2021. The demand for ethical hackers and cybercrime specialists is increasing exponentially. The criminals have become smarter with time, using new ways and tools to generate an impact big enough to gain billions! Stay safe by keeping your devices and software updated, what else can the commoners do?