Vulnerability Scare from Beyond the Grave
November 1, 2019 • RBS
UPDATE: It has been nearly a month, but CVE has finally updated CVE-2019-13720!
On Halloween night, while everyone was enjoying their family time, Google decided to join in on the fun by disclosing the spookiest scare of the night; an urgent update for the Chrome browser to patch an actively exploited zero-day vulnerability.
The vulnerability allows an attacker to dereference already freed memory and execute arbitrary code in Chrome.
Our research team caught wind of the news and immediately updated VulnDB® with details on the vulnerability, including its solution. Clients that set up real-time alerts for Google or Chrome were notified with prioritization and remediation information as soon as we had disclosed it and, within a few hours, even more metadata was added.
Others are not so lucky. As of
11/1/2019 11/25/2019, the current CVE entry remains in RESERVED status despite the urgency and existence of a public exploit. Interestingly enough, CVE has pushed out assignments from issues disclosed in 2012 since the Chrome zero-day dropped, making us wonder about their priorities. Perhaps this shouldn’t be too big of a shock, since out of the 2,722 vulnerabilities in Chrome we’re aware of, 896 (33%) do not have a CVE ID assigned at all.
Additionally, if an organization stumbles upon this entry in panic for a solution they will be saddened to see that NVD also lacks details.
In situations like these, you need actionable and timely vulnerability intelligence. Very few organizations can be entirely proactive in situations without the resources necessary to monitor and validate the massive amounts of vulnerability reports disclosed every day. For users who are not using a comprehensive vulnerability intelligence solution, remediation for this vulnerability would be extremely difficult unless you knew exactly where to look, and when.
For those who may still be affected by this vulnerability, the details on the disclosure can be found here. For VulnDB customers, you can find a completed entry with additional details and metadata once you authenticate to the portal.
Interested in seeing this for yourself? We would love to show you how VulnDB is the world’s most comprehensive, detailed, and timely source of vulnerability intelligence on the market.