Skip to main content

Google Chrome was hiding another zero-day flaw

(Image credit: Image Credit: Den Rise / Shutterstock)

Cybersecurity researchers from Kaspersky have discovered a new zero-day flaw in Chrome.

According to Kaspersky’s report, the previously unknown vulnerability leverages what’s called a ‘waterhole-style’ injection in a Korean language news portal to target users from the country. With a malicious JavaScript code embedded within the main page, a profiling script gets loaded from a remote site, which checks to see if the victim’s system is suitable for further compromise.

If successful, the attacker can leverage the Use-After-Free (UaF) condition, which essentially allows the attacker to execute almost any code.

The flaw was used in an event Kaspersky calls ‘Operation WizardOpium’. Apparently, it has some similarities with the Lazarus attack. It was discovered using Kaspersky’s automated threat detection systems and was named CVE-2019-13720.

We last heard from the Lazarus Group in March, when a global spearphishing campaign was discovered. Security firm McAfee said back then it found evidence linking Lazarus to the huge Operation Sharpshooter attack first detected last December,which uses sophisticated spearphishing emails disguised as job recruitment messages.

Google was notified of this new flaw’s existence and a patch was already been issued.

“The finding of a new Google Chrome zero-day in the wild once again demonstrates that it is only collaboration between the security community and software developers, as well as constant investment in exploit prevention technologies, that can keep us safe from sudden and hidden strikes by threat actors,” said Anton Ivanov, a security expert at Kaspersky.

Kaspersky products detect the exploit as PDM:Exploit.Win32.Generic.