eSentire White Logo

Security advisories | Nov 25, 2019

CVE-2019-13720 Chrome Zero-Day

The threat:

On October 31, 2019, Google released security updates for the Chrome browser to mitigate an actively exploited zero-day vulnerability [1]. CVE-2019-13720 is a use-after-free vulnerability in the Chrome audio component. If exploited, use-after-free vulnerabilities may allow for various multiple malicious actions. Due to the reports of active exploitation of CVE-2019-13720, users are recommended to upgrade to the most recent version of Chrome as soon as possible.

What we’re doing about it:

  • The eSentire Threat Intelligence Team is actively monitoring this topic for emerging details.
  • Known IoCs have been checked against esENDPOINT clients and monitoring is ongoing.
  • MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability
  • Plugins are expected to be leveraged in scans starting between Saturday, November 2, and Sunday, November 3, 2019

What you should do about it:

  • Update to version 78.0.3904.87 of the Chrome browser
    • It should be noted that even if auto-update is enabled, users need to exit and re-open Chrome for the update to be applied
    • Chrome updates for Windows can be pushed by system administrators through the Group Policy Management Editor [2]

Additional information:

Details on CVE-2019-13720 remain minimal as Google is holding onto information until users have time to update. Kaspersky identified the zero-day vulnerability and has released some additional details regarding attacks in the wild [3].

A second vulnerability, CVE-2019-13721, was also fixed in the most recent release of Chrome. CVE-2019-13721 is also a use-after-free vulnerability but there are currently no reports of exploitation in the wild.

Indicators of compromise [3]:

  • behindcorona[.]com
  • code.jquery.cdn.behindcorona[.]com
  • 8f3cd9299b2f241daf1f5057ba0b9054
  • 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
  • 27e941683d09a7405a9e806cc7d156c9
  • 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
  • f614909fbd57ece81d00b01958338ec2
  • cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
  • [email protected][.]com