2 More Google Chrome Zero-Days Under Active Exploitation

google chrome code execution bug

Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution.

Google is asking Chrome desktop users to prepare to update their browsers once again as two more zero-day vulnerabilities have been identified in the software. Both allow an unauthenticated, remote attacker to compromise an affected system via the web. And both are being actively exploited in the wild, according to Google.

The disclosure brings to five the total number of actively exploited flaws found in Chrome within the last three weeks.

A stable channel update, 86.0.4240.198 for Windows, Mac and Linux, was released this week and will be rolled out “over the next days and weeks,” Google Chrome’s Prudhvikumar Bommana said in a blog post on Wednesday. The update will patch the two zero-day flaws, being tracked as CVE-2020-16013 and CVE-2020-16017.

Both have a severity rating of “high,” ranking 8.4 out of 10 on the CVSS bug-severity scale, and were reported by an anonymous source.

CVE-2020-16017 is described by Google as a “use-after-free in site isolation,” which is the Chrome component that isolates the data of different sites from each other.

To exploit it, a remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system, according to researchers at Czech firm Cybersecurity Help.

CVE-2020-16013 meanwhile is an “improperly implemented security check for standard” bug, which is a type of flaw where  the software does not implement or incorrectly implements one or more security-relevant checks. In this particular case, Google described the bug as an “inappropriate implementation in V8,” which is an open-source component of Chrome that handles JavaScript and WebAssembly.

To exploit it, a remote attacker can also create a specially crafted web page, trick the victim into visiting it and then be able to compromise the system, Cybersecurity Help noted.

Another zero-day that Google patched earlier this month, CVE-2020-16009, also was due to an inappropriate implementation of V8, but it’s unknown whether the two flaws are related. Google typically refrains from providing specific details about vulnerabilities until well after they are patched.

The latest spate of Chrome zero-day discoveries and patches started on Oct. 19, when security researcher Sergei Glazunov of Google Project Zero discovered a type of memory-corruption flaw called a heap-buffer overflow in FreeType that was being actively exploited. Google patched the vulnerability two days later.

Then last week, Google patched two separate zero-day flaws in Google’s Chrome desktop and Android-based browsers. The desktop bug is the aforementioned V8 vulnerability, which could be used for remote code-execution discovered by researchers at Google’s Threat Analysis Group and Google Project Zero. The Android bug, also with an active exploit, is a sandbox-escape bug that opened up a possible attack based on a heap-buffer overflow in the user interface for Android, the company said.

The Google issues join several other recently patched zero-days, in Apple and Windows.

Indeed, threat actors have been on the offensive lately to target unpatched flaws in the ubiquitous software created by the three tech giants, keeping security researchers on their toes and the companies releasing updates on the fly to stay current with patches.

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles