This week brought a bunch of security updates that address zero day bugs actively exploited in the wild impacting multiple products, including Google Chrome, Microsoft Windows, and Apple iOS.
In fact, Google released Chrome 86.0.4240.183 for Windows, Mac, and Linux, which contains security fixes for a total of ten vulnerabilities, including a flaw that is currently being exploited in the wild (CVE-2020-16009). This is a second Chrome zero day bug (CVE-2020-15999) Google has patched in two weeks. CVE-2020-16009 is described as inappropriate implementation in V8, a Google's open source high-performance JavaScript and WebAssembly engine.
A separate zero-day bug (CVE-2020-16010) has been fixed in Chrome for Android. The vulnerability is a heap-based buffer overflow, which exists when processing untrusted HTML content in UI in Google Chrome on Android. A remote attacker, who had compromised the renderer process, can perform a sandbox escape via a crafted HTML page.
This week a Windows zero day was disclosed which is already being actively exploited in attacks along with already patched bug in Google Chrome.
The Windows zero-day, tracked as CVE-2020-17087, resides in the Windows kernel and allows an attacker to elevate their privileges on the system. The vulnerability affects at least Windows 7 and Windows 10.
According to the reports, attackers are using this flaw together with separate bug in Chrome (CVE-2020-15999), which Google fixed last month. CVE-2020-15999 is described as a heap buffer overflow bug in FreeType rendering engine. The vulnerability “exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts,” and can be exploited with specifically crafted fonts with embedded PNG images.
In the observed attacks the Chrome vulnerability was used to run malicious code inside Chrome, while CVE-2020-17087 was exploited for sandbox escape.
Apple has also released security updates for iOS and macOS to patch three zero-day vulnerabilities that were discovered being exploited in real-world attacks. The three zero days are CVE-2020-27930 (a remote code execution issue in the FontParser component that could result in compromise of the target system), CVE-2020-27932 (a privilege escalation vulnerability that lets attackers execute arbitrary code with elevated privileges), and CVE-2020-27950 (a memory leak vulnerability that allows attackers to gain access to potentially sensitive information).
Oracle has issued an out-of-band update to address a critical vulnerability affecting Oracle WebLogic servers. The flaw, tracked as CVE-2020-14750, is related to another WebLogic vulnerability (CVE-2020-14882) patched as part of the October 2020 Critical Patch Update (CPU), which is already being targeted by cybercriminals.
CVE-2020-14750 impacts Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0, and can be exploited remotely without user interaction.
A critical vulnerability (CVE-2020-27955) has been found in Git Large File Storage (Git LFS) that allows a remote user to compromise the affected system. The vulnerability exists due to insufficient validation of files. A remote user can upload a specially crafted binary to the repository and execute arbitrary code on the system.
Adobe addressed multiple vulnerabilities in its Reader and Acrobat products, including four remote code execution bugs (CVE-2020-24435, CVE-2020-24436, CVE-2020-24430, CVE-2020-24437). The rest of the flaws rated as medium and low severity issues could lead to local privilege escalation and information disclosure.