Google has patched two zeroday vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.
According to a Monday tweet from Ben Hawkes, the head of Google’s Project Zero vulnerability and exploit research arm, CVE-2020-16009, as the first vulnerability is tracked, is a remote code-execution bug in V8, Chrome’s open source JavaScript engine. A second security flaw, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allows attackers to escape the Android sandbox, suggesting that hackers may have been using it in combination with a separate vulnerability.
Hawkes didn’t provide additional details, such as what desktop versions of Chrome were actively targeted, who the victims were, or how long the attacks had been going on. It also wasn’t clear if the same attack group was responsible for all three exploits. CVE-2020-16009 was in part discovered by a member of Google’s Threat Analysis Group, which focuses on government-backed hacking, suggesting that exploits of that vulnerability may be the work of a nation-state. Project Zero was involved in the discovery of all three of the zerodays.
The updates come two weeks after Google fixed CVE-2020-15999, an actively exploited vulnerability in Freetype, which Chrome and other, non-Google apps use to render fonts. To gain code-execution capabilities, hackers were combining exploits with a separate one that targeted currently unpatched bug in Windows 10 and Windows 7.
Desktop versions of Chrome typically update automatically. That means that, for most users, patches for CVE-2020-16009 and CVE-2020-15999 have already been installed. Chrome for Android is updated through Google Play. The Chrome Android advisory said the fix is incorporated into version 86.0.4240.185. The notice went on to say the update would be available “over the next few weeks,” but the phone I checked (a Pixel) already had it installed.
