Chrome in the zero-day crosshairs

Thanks to the Kaspersky Exploit Prevention subsystem in our products, we recently detected an exploit — a malicious program letting attackers gain unauthorized access to the computer — through a vulnerability in the Google Chrome browser. It used a zero-day vulnerability, that is, one that was yet unknown to the developers. It was assigned the identifier CVE-2019-13720.

We reported the vulnerability to Google, which fixed it in the latest Chrome update. Here we describe how the attack that uses this vulnerability unfolds.

Update Chrome right now. In the new version of the browser, Google fixed a vulnerability that is already being used in so-called WizardOpium attacks.

WizardOpium: Bad news in Korean

The attacks, which we labeled Operation WizardOpium, began from a Korean news site where the attackers injected malicious code. This loads a script from a third-party site that first checks to see if the system is suitable for infection and which browser the victim uses (cybercriminals are interested in Chrome for Windows not older then version 65).

If the operating system and browser meet the requirements, the script downloads an exploit piece by piece, then reassembles and decrypts it. The first thing the exploit does is run yet another check on the version of Chrome. At this stage, it becomes pickier and works exclusively with Chrome 76 or 77. Perhaps the cybercriminal toolkit contains other exploits for different versions of the browser, but we cannot say for sure.

After verifying it’s found what it wanted, the exploit tries to leverage the use-after-free vulnerability CVE-2019-13720, based on improper use of computer memory. Through manipulating memory, the exploit gains permission to read and write data to the device, which it immediately utilizes to download, decrypt, and run the malware. The latter can vary depending on the user.

Kaspersky Lab products detect the exploit with the verdict Exploit.Win32.Generic. More technical details are available in the Securelist post.

Update Chrome

Even if you don’t read Korean news sites, we recommend that you immediately update Chrome to version 78.0.3904.87. There is already one exploit out there using this vulnerability, which means that others may follow. This will likely happen as soon as details of the vulnerability become freely available.

Google has released a Chrome update for Windows, macOS, and Linux. Chrome updates automatically, and simply restarting the browser should be enough.

To make doubly sure, check that the update has been installed. To do so, click on the three vertical dots in the upper right corner of the browser (“Customize and control Google Chrome”), and select Help → About Google Chrome. If the number you see is 78.0.3904.87 or higher, everything is in order. If not, then Chrome will start looking for and installing available updates (you will see a rotating circle on the left), and after a few seconds the number of the latest version will appear on the screen: Click Relaunch.