An actively exploited zero-day vulnerability put many Google Chrome users at a very “High” risk. Taking note of the severity of the vulnerability and the subsequent damages caused if exploited successfully, Google has released an emergency patch to fix it. The stable version of Chrome 86.0.4240.111 is now available for Windows, Mac, and Linux, which also consists of four other medium to high severity vulnerabilities.
Chrome’s Zero-Day Vulnerability
The vulnerability, which was reported by Sergei Glazunov of Google Project Zero on October 19, was said to be an arbitrary code execution (ACE) vulnerability that was actively exploited in the wild. Going through the brief technical details made available by Google, it can be said that the zero-day being tracked under CVE-2020-15999 is a heap buffer overflow bug in the FreeType font rendering library that’s included with standard Chrome distributions.
Talking more about the seriousness of damages that the bug could potentially cause, Rody Quinlan, Security Response Manager at Tenable, said, “The zero-day is a memory corruption flaw [CVE-2020-15999] described as a ‘heap buffer overflow in FreeType.’ Successful exploitation of heap buffer overflows could lead to memory leakage which could potentially be used to lead to arbitrary code execution. As the Chrome flaw is being actively exploited in the wild, users are urged to update their browsers as soon as possible to reduce the risk of compromise.”
Along with the CVE-2020-15999 high priority security fix, which had a turnaround time of less than 24 hours, Google also fixed four other – medium to high severity – vulnerabilities in Chrome’s 86.0.4240.111 version. Here is the complete list:
- CVE-2020-16000, Severity – High: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06.
- CVE-2020-16001, Severity – High: Use after free in media. Reported by Khalil Zhani on 2020-10-05.
- CVE-2020-16002, Severity – High: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2020-10-13.
- CVE-2020-15999, Severity – High: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19.
- CVE-2020-16003, Severity – Medium: Use after free in printing. Reported by Khalil Zhani on 2020-10-04.