Kaspersky’s security researchers detected a new zero-day vulnerability in Chrome.
The attackers made a ‘waterhole-style’ injection in a Korean language news portal targeting users from the country by embedding a malicious JavaScript code within the main page. After injection, a profiling script gets loaded from a remote site, checking to see whether the victim’s computer is suitable for further compromise. If successful, the attacker can leverage the Use-After-Free (UaF) condition, which enables the attacker to execute any code.
Very similar to Lazarus attack
Google’s popular web browsing software’s 78.0.3904.87 version can cause unprivileged users to escalate their privileges to be able to corrupt or to modify the data in the memory. The vulnerability was named as Operation WizardOpium by Kasperksy. Researchers found many similarities when they compared it with the Lazarus attack, which was discovered using Kaspersky’s automated threat detection systems and with a CVE number as CVE-2019-13720.
Kaspersky researchers Anton Ivanov and Alexey Kulaev, who discovered and reported the vulnerabilities, claims that it is unclear which group of hackers are responsible for the cyber attacks. Chrome had similar use-after-free issues in the past few months too, so it is not something completely new. Google had to release zero-day patches back in March and last month for similar flaws. Anton Ivanov, a security expert at Kaspersky talked about the issue:
The finding of a new Google Chrome zero-day in the wild once again demonstrates that it is only collaboration between the security community and software developers, as well as constant investment in exploit prevention technologies, that can keep us safe from sudden and hidden strikes by threat actors.
According to the technical details revealed by the Kaspersky Labs, attackers compromised a Korean news portal to exploit the code. Computers visited the website with the vulnerable version of Chrome were infected with this exploit. Users can remove this risk by installing the latest patch.