Google squashes two more Chrome bugs under active attacks

The updates come on the heels of news of attacks exploiting another zero-day in Chrome in tandem with a previously-unknown Windows flaw.

Two weeks after patching an actively-exploited vulnerability affecting Chrome for desktop, Google is squashing another zero-day bug in the browser’s version for Windows, macOS, and Linux, as well as pushing out an update for Chrome for Android that plugs yet another security loophole that is being exploited in the wild.

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” said the tech giant about the newly-disclosed flaw that stems from an inappropriate implementation in the V8 JavaScript engine and impacts the browser’s desktop versions.

The bug, classified as high-severity, was discovered by researchers from Google’s Threat Analysis Group and Project Zero. Details about the vulnerability are very sparse due to Google’s policy that clearly states that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

Per the National Vulnerability Database, the flaw “could allow an attacker to potentially exploit heap corruption via a crafted HTML page.”

RELATED READING: Security terms explained: What does Zero Day mean?

Users would do well to update their browsers to the latest version (86.0.4240.183) as soon as possible. If you have automatic updates enabled, your browser should update by itself. Otherwise you’ll have to do it manually by navigating to the About Google Chrome section, which can be found under Help in the side menu.

The update also brings fixes for a total of 10 vulnerabilities, with Google specifically listing seven high-risk flaws where the fixes were contributed by external researchers.

The news comes on the heels of another disclosure by Google about a zero-day in Windows that was found to be exploited in tandem with the Chrome zero-day revealed two weeks ago.

Android bug

Meanwhile, Google also confirmed that the flaw affecting Chrome for Android has been actively exploited by attackers as well. Indexed as CVE-2020-16010 and ranked as high in severity, the vulnerability is caused by a heap buffer overflow in the User Interface (UI) in Chrome for Android. It could enabled a remote threat actor who has compromised the renderer process to execute a sandbox escape using a crafted HTML page.

You shouldn’t hold off on updating to the latest Chrome version for Android (86.0.4240.185) once the update becomes available.

written by Amer Owaida, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s