Flaws in Google’s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google’s Project Zero went one step further and asserted that both bugs are actively being exploited.
In its Chrome browser update for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google’s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an “inappropriate implementation in V8”.
Clement Lecigne of Google’s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a blog post announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero’s team.
As for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned on Monday of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on “heap buffer overflow in UI on Android” conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.
‘Actively Exploited in the Wild’
Google said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google’s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.
“Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,” he wrote.
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1
— Ben Hawkes (@benhawkes) November 2, 2020
As a precaution, Google said in its security update that it would “also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” according to the post.
The Other Android Bugs
The new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.
Vulnerabilities patched in the Chrome desktop update included a “use after free” bug (CVE-2020-16004); an “insufficient policy enforcement in ANGLE” flaw (CVE-2020-16005); an “insufficient data validation in installer” issue (CVE-2020-16007) and a “stack buffer overflow in WebRTC” bug (CVE-2020-16008). Lastly there Google reported a “heap buffer overflow in UI on Windows” tracked as (CVE-2020-16011).
This week’s Chrome updates come on the heels of zero-day bug reported and patched last week by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome’s FreeType font rendering library.
The latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability patched last Halloween night and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was fixed in February.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.