Google revealed a security flaw on Halloween, so maybe update Chrome now

While you were out trick or treating on Halloween night, Google engineers released a warning about a new Chrome security flaw.

On Oct. 31, Google shared information regarding two recently discovered vulnerabilities. The search giant has confirmed that a zero-day exploit exists for one of these security issues.

A zero-day exploit is basically when a nefarious party discovers a bug they can use for a cyber attack before the original developer can issue a fix.

Google released a security update to fix the problem that will roll out automatically to all users in the coming days and weeks. Users can manually update Google Chrome immediately by going to the “About Google Chrome” section in the menu bar.

“This version addresses vulnerabilities that an attacker could exploit to take control of an affected system,” said a statement released by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).

Google hasn’t divulged many details about the flaws, which the company says is for security purposes.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” reads the security alert from Google. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

However, here’s what we know so far. The two vulnerabilities, CVE-2019-13720 and CVE-2019-13721, are considered “use-after-free” flaws. This is when an application attempts to reference previously used memory after it’s been freed or deleted. When this occurs, bad actors can exploit the memory corruption to execute malicious code.

One of the two Chrome bugs affect the PDFium library, which generates PDFs. The other, which has a zero-day exploit in the wild, involves Chrome’s audio component.

The discovery was made by Anton Ivanov and Alexey Kulaev, two researchers from the cybersecurity firm Kaspersky.

Google Chrome’s last major security vulnerability involving a zero-day exploit occurred just earlier this year. The company pushed out an update in March after a memory management error involving FileReader was discovered.