Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser

  • The memory-corruption vulnerability exists in the browser’s FreeType font rendering library.

    Google unveiled an update to its Chrome browser that patches a zero-day vulnerability in the software’s FreeType font rendering library that was actively getting exploited in the wild.

    Security researcher Sergei Glazunov of Google Task Zero uncovered the bug which is classified as a kind of memory-corruption flaw named a heap buffer overflow in FreeType. Glazunov educated Google of the vulnerability on Monday. Project Zero is an internal security crew at the corporation aimed at locating zero-working day vulnerabilities.

    By Tuesday, Google previously had introduced a steady channel update, Chrome version 86..4240.111, that deploys five security fixes for Windows, Mac & Linux–among them a fix for the zero-working day, which is staying tracked as CVE-2020-15999 and is rated as significant risk.
    “Google is aware of studies that an exploit for CVE-2020-15999 exists in the wild,” Prudhvikumar Bommana of the Google Chrome workforce wrote in a site put up asserting the update Tuesday. Google did not expose even further aspects of the active attacks that scientists noticed.

    Andrew R. Whalley, a member of the Chrome security staff, gave his team kudos on Twitter for the “super-fast” reaction to the zero-working day.

    Even now, Ben Hawkes, specialized guide for the Task Zero team, warned that although Google researchers only observed the Chrome exploit, it is attainable that other implementations of FreeType could be susceptible as very well due to the fact Google was so fast in its response to the bug. He referred people to a deal with by Glazunov posted on the FreeType Task page and urged them to update other potentially susceptible program.

    “The repair is also in today’s stable release of FreeType 2.10.4,” Hawkes tweeted.

    In the meantime, security scientists took to Twitter to persuade people today to update their Chrome browsers promptly to prevent slipping sufferer to attackers aiming to exploit the flaw.

    “Make positive you update your Chrome currently! (restart it!),” tweeted London-centered software security advisor Sam Stepanyan.

    In addition to the FreeType zero day, Google patched 4 other bugs—three of large risk and one particular of medium risk–in the Chrome update unveiled this week.

    The large-risk vulnerabilities are: CVE-2020-16000, described as “inappropriate implementation in Blink” CVE-2020-16001, explained as “use after totally free in media” and CVE-2020-16002, explained as “use soon after no cost in PDFium,” according to the blog site submit. The medium-risk bug is becoming tracked as CVE-2020-16003, explained as “use after cost-free in printing,” Bommana wrote.

    So far in the previous 12 months Google has patched three zero-working day vulnerabilities in its Chrome browser. Prior to this week’s FreeType disclosure, the to start with was a critical distant code execution vulnerability patched very last Halloween evening and tracked as CVE-2019-13720, and the 2nd was a sort of memory confusion bug tracked as CVE-2020-6418 that was mounted in February.