Google Chrome fixed second 0-day vulnerability in two weeks

0-day vulnerability in Google Chrome

Google developers have released Chrome version 86.0.4240.183 for Windows, Mac and Linux, which fixed 10 different problems. The update also includes a patch for a 0-day vulnerability in Google Chrome, which hackers are already actively using.

The bug was identified as CVE-2020-16009 and was discovered by the Threat Analysis Group (TAG), Google’s internal security team dedicated to tracking attackers and their ongoing operations.

The issue identified was related to the V8 JavaScript engine and allows random code execution (RCE).so far, it seems the only thing that can be said about the problem based on the available data.

So far, details about the vulnerability and its exploitation have not been disclosed. It is worth noting that this is a common practice for Google: the company’s specialists can “keep silent” for months on the technical details of bugs in order not to give cybercriminals hints and allow users to install updates calmly.

I must say that two weeks ago, Google experts fixed another 0-day vulnerability in their browser. The error was also discovered internally by Google Project Zero specialists. It was identified as CVE-2020-15999 and was associated with the FreeType font rendering library that comes with standard Chrome distributions. It is known that the bug is associated with a violation of the integrity of information in memory.

A vulnerability exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts. The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap.describe the issue Google IS specialists.

Let me remind you that CVE-2020-15999 was used in conjunction with another 0-day vulnerability – CVE-2020-17087, a serious bug found in the Windows kernel.

For example, a vulnerability in Chrome was used to run malicious code inside the browser, and day zero was used in Windows during the second part of the attack, which allowed attackers to leave the secure Chrome container and execute the code already at the OS level (that is, to escape from the sandbox). Microsoft is expected to fix this issue on November 10th as part of Patch Tuesday.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *