Users should update Chrome: Google patched second zero-day in two weeks

by Ugnius Kiguolis - -

Google released a new Chrome update for Mac, Windows, and Linux users in order to eliminate vulnerabilities including a new zero-day

Google patched new Chrome zero-day

The newest Chrome version (86.0.4240.183) made by Google should help Windows, Mac, and Linux devices to avoid 10 security vulnerabilities. One of them is a remote code execution (RCE) zero-day that is actively exploited in the wild. This is the second zero-day in two weeks. Google recommends updating the Chrome browser as soon as possible if users want to stay safe.

A zero-day[1] is a computer-software vulnerability. Hackers are exploiting such bugs by adversely affecting device programs, data, a network, or even additional computers.

The latest zero-day was reported on October 29 by Clement Lecigne from Google's Threat Analysis Group and Samuel Groß from Google Project Zero. The RCE vulnerability is named CVE-2020-16009. It is an inappropriate implementation in V8,[2] Google's open-source and C++ based high-performance WebAssembly and JavaScript engine.

Of course, typical to the Google team, the details about zero-day and the group exploiting the bug were not made public. This way Chrome users have more time to install the necessary updates and other threat actors cannot develop more exploits for the same zero-day.

The last two weeks are marked with two Chrome zero-days: CVE-2020-16009 and CVE-2020-15999

Unfortunately, this is the second zero-day in two weeks that Google found to be actively exploited in the wild. On October 20th, Google released a patching security update for Chrome because the team found zero-day in Chrome's FreeType rendering library.[3] Identified as CVE-2020-15999, the vulnerability was used along with Windows zero-day named CVE-2020-17087.[4]

Chrome vulnerability was used to run malicious code in the Chrome browser, while Windows zero-day was used to elevate the code's permissions and attack the underlying Windows operating system. While Google already patched the vulnerability, Microsoft is going to fix its problem on November 10, when the company releases the latest patch.

Google has not confirmed whether these zero-days were exploited by the same cybercriminals. But the company advise updating the Chrome browser to version 86.0.4240.183 or newer.

Google patched six other security vulnerabilities in Chrome

According to Google,[5] the company also fixed six other high severity flaws with its newest Chrome update. The following vulnerabilities were found and patched:

  • CVE-2020-16004: use after free in the user interface,
  • CVE-2020-16005: insufficient policy enforcement in ANGLE,
  • CVE-2020-16006: inappropriate implementation in V8,
  • CVE-2020-16007: insufficient data validation in installer,
  • CVE-2020-16008: stack buffer overflow in WebRTC,
  • CVE-2020-16011: heap overflow in UI on Windows.

If users want to avoid these vulnerabilities and stay safe on the internet, they should upgrade Chrome by going to its settings. Desktop users can check if the new update is available following these steps: Settings -> Help -> About Google Chrome. Here the Chrome browser will automatically check for a new update. The browser will install the new Chrome version if an update is available. In fact, for security reasons, users should regularly update all programs, not just Chrome browser.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

Your opinion regarding Users should update Chrome: Google patched second zero-day in two weeks