Are you running the latest version of Google Chrome (currently 86.0.4240.111)? We advise you to check whether your Chrome browser is updated as it may be prone to exploits. The best way to do so is by going to Chrome’s menu, selecting Help and about Google Chrome.
Why should you be concerned? Cybersecurity researchers discovered a series of high-severity vulnerabilities, including CVE-2020-15999, a zero-day bug exploited in the wild in targeted attacks.
CVE-2020-15999 Zero-Day Bug in Google Chrome
The actively exploited zero-day is a type of memory-corruption vulnerability, known as heap buffer overflow in FreeType, an open-source development library for rendering fonts included in standard Chrome distributions. The flaw was discovered by Google Project Zero’s security researcher Sergei Glazunov on October 19.
Ben Hawkes, Project Zero’s team leader, says that hackers have been abusing the FreeType vulnerability in attacks against Chrome users. The researcher urges other app vendors using FreeType to update their software to circumvent any future exploits. The FreeType library has been patched in version 2.10.4.
What else is known about the exploitation of the FreeType Chrome vulnerability? Details are scarce as Google is usually reluctant to reveal technical information so that users have enough time to update. However, an issue exists – the patch for the bug is visible in the source code of FreeType meaning that threat actors may be able to reverse-engineer it and create new exploits.
It is noteworthy that CVE-2020-15999 is the third zero-day exploited in attacks in the past year. CVE-2019-13720 was spotted in October 2019, and CVE-2020-6418 – in February 2020. CVE-2019-13720 was a use-after-free issue, related to memory corruption, whereas CVE-2020-6418 was a type confusion vulnerability.
Besides CVE-2020-15999, Google also addressed four other vulnerabilities, three of which rated as high-risk:
- CVE-2020-16000: Inappropriate implementation in Blink;
- CVE-2020-16001: Use after free in media;
- CVE-2020-16002: Use after free in PDFium;
- CVE-2020-16003: Use after free in printing (rated as medium).
We highly recommend you to update your Chrome browsers to version 86.0.4240.111 to stay protected.