Researchers with Google’s Threat Analysis Group (TAG) and Project Zero discovered a zero-day exploit (CVE-2020-16009) last week. On Monday, Google released Chrome patch 86.0.4240.183 for Windows, macOS, and Linux that addresses the issue.
The patch notes do not divulge details regarding the security hole other than saying it has to do with an “inappropriate implementation” in the V8 JavaScript rendering engine. It also mentions the weakness is already being actively exploited.
“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” the patch notes read.
CVE-2020-16009 is the second actively exploited Chrome zero-day patched within the last two weeks after a heap buffer overflow zero-day bug found in the FreeType text-rendering library.
Last week, Google’s Project Zero 0day bug-hunting team disclosed an actively exploited Windows kernel elevation of privileges (EoP) zero-day tracked as CVE-2020-17087, affecting all versions between Windows 7 and Windows 10.
Six other security flaws addressed
Google also fixed six other high severity security vulnerabilities in Chrome 86.0.4240.183:
- CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
- CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2020-10-16
- CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
- CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
- CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
- CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01
Chrome 86.0.4240.183 is rolling out to users during the next days/weeks. Desktop users can upgrade by going to Settings -> Help -> About Google Chrome.
These two zero-day flaws come right on the heels of two others that Google recently fixed.
The Hacker News reported that CVE-2020-15999 a heap buffer overflow in font-rendering package Freetype was being actively exploited just two weeks ago. Another vulnerability (CVE-2020-17087) found late last week caused a buffer overflow in the Windows Kernel Cryptography Driver that created a sandbox escape. It, too, was being actively exploited.
The 86.0.4240.183 update includes several other high priority security patches as well. Google recommends updating both the desktop and Android versions of Chrome immediately.