12 November 2020

Google fixes two new Chrome zero days


Google fixes two new Chrome zero days

Google has released Chrome version 86.0.4240.198 for Windows, Mac, and Linux, which addresses two zero day vulnerabilities that are currently being exploited in the wild. That makes it a total of five zero days patched by tech giant in recent weeks.

As always, the company refrained from publishing technical details of said vulnerabilities until a majority of users are updated with a fix.

The two zero days are tracked as CVE-2020-16013 and CVE-2020-16017. The first one is described as an inappropriate implementation in V8, which can lead to a system takeover, while the second flaw is a use-after-free issue within the site isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Last month, Google released a security update for Chrome to patch several vulnerabilities, including CVE-2020-15999, a zero-day issue in FreeType rendering engine. As Google revealed, the CVE-2020-15999 flaw was used in attacks together with a zero-day vulnerability (CVE-2020-17087) in Windows kernel. In the observed attacks the Chrome vulnerability was used to run malicious code inside Chrome, while CVE-2020-17087 was exploited for sandbox escape.

Last week, Google fixed a couple of zero days affecting Chrome for desktop (CVE-2020-16009) and Chrome for Android (CVE-2020-16010). While it appears that some of the above mentioned issues were used as part of exploit chain the company has yet to disclose information about who may have been exploiting them or who the attacks were aimed at.

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024