In addition, one of the vulnerabilities was being leveraged by attackers. The new version roll out is in progress.
This update includes two security fixes. One is a use-after-free in PDFium (CVE-2019-13721) vulnerability that fell into the high rating category. The other vulnerability also rated in the high category is a use-after-free in audio issue (CVE-2019-13720), for which there are exploits currently in play.
The issue was reported to Google October 29 and Google jumped on the issue and quickly fixed it.
If an attack finds a victim, an encrypted payload that looks like a .jpg file is delivered to the victim. The payload is then decrypted and an executable file is dropped and run.
Kaspersky said the exploit takes advantage of the Windows Task Scheduler for persistence and its main module is designed to download other modules from a command and control (C&C) server.