Google Chrome Latest Patch Fixes Zero-Day Under Exploitation

• Google Chrome has received an update that fixed four high and one medium severity flaws.
• One of the identified and plugged vulnerabilities has been actively exploited in the wild for a while.
• Google fixed it within two days, and all users are now advised to apply the patch immediately.

Google has released Chrome version 86.0.4240.111, which fixes five security vulnerabilities in the world’s most popular and widely used web browser. Among them, there’s CVE-2020-15999, a nasty memory-corruption (heap buffer overflow) vulnerability existing in FreeType, one of the open-source libraries used in Chrome for rendering fonts. Besides the bug’s criticality, which is always an important factor to consider, Google says they’ve seen it being actively exploited in the wild, so updating to the latest version immediately is crucial.

Those who want to dive deeper into the technical aspect of the flaw and its exploitation potential may check out this post by Google researcher Sergei Glazunov. Long story short, the flaw lies in the way FreeType processes PNG images that are embedded into fonts. If an attacker creates a specially crafted font containing dimension values that go beyond what can be fitted into the bitmap, an arbitrary code execution condition is created.

Glazunov has even developed and shared a “proof-of-concept” font to prove the case and highlight the fact that exploiting this bug doesn’t require extreme hacking skills.

Related: Google’s Threat Analysis Experts Detected Over 120 APT Attacks Per Day in 2020

The other fixes that landed with the latest version are the following:

• CVE-2020-16000: Inappropriate implementation in Blink – high severity
• CVE-2020-16001: Use after free in media – high severity
• CVE-2020-16002: Use after free in PDFium – high severity
• CVE-2020-16003: Use after free in printing – medium severity

If you are using Chrome or a Chrome-based web browser, you should have already received the automatically-generated update notification. It is important to understand that when there are fixes on actively exploited zero-days like the heap buffer overflow in Freetype, postponing or delaying the update is introducing great risks to your security. Arbitrary code execution can have a wide range of dire consequences for the target, so it’s not just something that would freeze your browser tab.

Google got to learn about this flaw thanks to its “Project Zero” team on October 19, 2020. They fixed it promptly and before the seven-day deadline that is set on “wild” zero-days, while more technical details will be published on October 26, 2020. The company has not clarified approximately since when this flaw has been under active exploitation.