Home > Cyber News > CVE-2020-15999: FreeType Zero-Day Bug in Chrome Exploited in the Wild

CVE-2020-15999: FreeType Zero-Day Bug in Chrome Exploited in the Wild

Are you running the latest version of Google Chrome (currently 86.0.4240.111)? We advise you to check whether your Chrome browser is updated as it may be prone to exploits. The best way to do so is by going to Chrome’s menu, selecting Help and about Google Chrome.

Why should you be concerned? Cybersecurity researchers discovered a series of high-severity vulnerabilities, including CVE-2020-15999, a zero-day bug exploited in the wild in targeted attacks.

CVE-2020-15999 Zero-Day Bug in Google Chrome

The actively exploited zero-day is a type of memory-corruption vulnerability, known as heap buffer overflow in FreeType, an open-source development library for rendering fonts included in standard Chrome distributions. The flaw was discovered by Google Project Zero’s security researcher Sergei Glazunov on October 19.

Ben Hawkes, Project Zero’s team leader, says that hackers have been abusing the FreeType vulnerability in attacks against Chrome users. The researcher urges other app vendors using FreeType to update their software to circumvent any future exploits. The FreeType library has been patched in version 2.10.4.

What else is known about the exploitation of the FreeType Chrome vulnerability? Details are scarce as Google is usually reluctant to reveal technical information so that users have enough time to update. However, an issue exists – the patch for the bug is visible in the source code of FreeType meaning that threat actors may be able to reverse-engineer it and create new exploits.

It is noteworthy that CVE-2020-15999 is the third zero-day exploited in attacks in the past year. CVE-2019-13720 was spotted in October 2019, and CVE-2020-6418 – in February 2020. CVE-2019-13720 was a use-after-free issue, related to memory corruption, whereas CVE-2020-6418 was a type confusion vulnerability.

Besides CVE-2020-15999, Google also addressed four other vulnerabilities, three of which rated as high-risk:

  • CVE-2020-16000: Inappropriate implementation in Blink;
  • CVE-2020-16001: Use after free in media;
  • CVE-2020-16002: Use after free in PDFium;
  • CVE-2020-16003: Use after free in printing (rated as medium).

We highly recommend you to update your Chrome browsers to version 86.0.4240.111 to stay protected.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share