UPDATE: It has been nearly a month, but CVE has finally updated CVE-2019-13720.
Zero-day vulnerability affecting Google Chrome
On Halloween night, while everyone was enjoying their family time, Google decided to join in on the fun by disclosing the scare of the night—an urgent update for the Chrome browser to patch an actively exploited zero-day vulnerability.
The vulnerability allows an attacker to dereference already freed memory and execute arbitrary code in Chrome.
The importance of vulnerability discovery
Our research team caught wind of the news and immediately updated VulnDB® with details on the vulnerability, including its solution. Clients that set up real-time alerts for Google or Chrome were notified with prioritization and remediation information as soon as we had disclosed it and, within a few hours, even more metadata was added.
Others are not so lucky. As of 11/1/2019 11/25/2019, the current CVE entry remains in RESERVED status despite the urgency and existence of a public exploit. Interestingly enough, CVE has pushed out assignments from issues disclosed in 2012 since the Chrome zero-day dropped. Out of the 2,722 vulnerabilities in Chrome we’re aware of, 896 (33 percent) do not have a CVE ID assigned at all.
Additionally, if an organization stumbles upon this entry in panic for a solution, they will see that NVD lacks actionable details.
In situations like these, you need actionable and timely vulnerability intelligence. Very few organizations can be entirely proactive in situations without the resources necessary to monitor and validate the massive amounts of vulnerability reports disclosed every day. For users who are not using a comprehensive vulnerability intelligence solution, remediation for this vulnerability would be extremely difficult unless you knew exactly where to look, and when.
Identify and remediate vulnerabilities with Flashpoint
Interested in seeing a comprehensive source of vulnerability intelligence for yourself? Sign up for a free VulnDB trial to gain visibility into over 297,000 vulnerabilities affecting IT, OT, IoT, and third party libraries and dependencies.