Google fixes two extra Chrome zero days that have been actively used


Google has fixed two zero-day security holes in its Chrome browser. For the third time in two weeks, the company has fixed a Chrome vulnerability that is currently being actively exploited.

According to a Monday tweet from Ben Hawkes, head of Google's Project Zero Vulnerability and Exploit Research, CVE-2020-16009, the first vulnerability tracking is a remote code execution bug in V8, which is open source – Chrome's JavaScript engine. A second vulnerability, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allowed attackers to escape the Android sandbox, suggesting that hackers may have used it in combination with a separate vulnerability.

Hawkes did not provide any additional details, e.g. For example, which desktop versions of Chrome were actively attacked, who the victims were or how long the attacks lasted. It was also not clear whether the same attack group was responsible for all three exploits. CVE-2020-16009 was partially discovered by a member of Google's Threat Analysis Group, which focuses on government-sponsored hacking, suggesting that exploiting this vulnerability could be the work of a nation state. Project Zero was involved in the discovery of all three zero days. advertising

The updates come two weeks after Google fixed CVE-2020-15999, an actively exploited vulnerability in Freetype that Chrome and other non-Google apps use to render fonts. To get code execution capabilities, hackers combined exploits with a separate one that targeted currently unpatched bugs in Windows 10 and Windows 7.

Desktop versions of Chrome are usually updated automatically. This means that most users have already patched CVE-2020-16009 and CVE-2020-15999 if they recently restarted their browser. Chrome for Android is updated through Google Play. The Chrome Android notice says that the update is built into version 86.0.4240.185. The notice goes on to say that the update would be available "in the next few weeks", but the phone (a Pixel) I checked was already installed.


Steven Gregory