Google fixes two extra Chrome zero days that have been actively used
Google has fixed two zero-day security holes in its Chrome browser. For the third time in two weeks, the company has fixed a Chrome vulnerability that is currently being actively exploited.
Hawkes did not provide any additional details, e.g. For example, which desktop versions of Chrome were actively attacked, who the victims were or how long the attacks lasted. It was also not clear whether the same attack group was responsible for all three exploits. CVE-2020-16009 was partially discovered by a member of Google's Threat Analysis Group, which focuses on government-sponsored hacking, suggesting that exploiting this vulnerability could be the work of a nation state. Project Zero was involved in the discovery of all three zero days. advertising
The updates come two weeks after Google fixed CVE-2020-15999, an actively exploited vulnerability in Freetype that Chrome and other non-Google apps use to render fonts. To get code execution capabilities, hackers combined exploits with a separate one that targeted currently unpatched bugs in Windows 10 and Windows 7.
Desktop versions of Chrome are usually updated automatically. This means that most users have already patched CVE-2020-16009 and CVE-2020-15999 if they recently restarted their browser. Chrome for Android is updated through Google Play. The Chrome Android notice says that the update is built into version 86.0.4240.185. The notice goes on to say that the update would be available "in the next few weeks", but the phone (a Pixel) I checked was already installed.