Update alert: Google patches zero-day Chrome vulnerability

Google was recently alerted by one of its own researchers to a memory corruption vulnerability in its Chrome browser. The flaw, a zero-day cataloged as CVE-2020-15999, was uncovered by Sergei Glazunov, who works with Google’s internal security team Project Zero. This was confirmed in a blog post by Google that acknowledges the bug finders who brought the flaws to their attention. The blog post specifically speaks of multiple vulnerabilities that Google has patched, and in the case of CVE-2020-15999, post author Prudhvikumar Bommana stated the following:

Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.

The memory corruption vulnerability, which has a high severity ranking on the Common Vulnerability Scoring System (CVSS), results from a heap buffer overflow in FreeType. FreeType is an open-source software development library for fonts that has a large number of users on Chrome.

Google patched this Chrome vulnerability quickly after being notified, but the presence of the flaw in the wild is a cause for concern. It is not known how long this zero-day existed, but these types of exploits can allow a black hat hacker to potentially gain control of the browser and even your machine.

For this reason, it is recommended that you update Chrome to version 86.0.4240.111 immediately. Experts took to Twitter to warn their followers of the consequences of ignoring this update. Sam Stepanyan, a leader of OWASP’s London chapter, warned Twitter followers that “attackers can execute arbitrary code on your computer.”

There is not much publicly available information indicating just how many people have been attacked. It is important to keep in mind that, while Chrome’s version of FreeType has been patched, other variants of the software development library may be vulnerable. In a tweet, Google Project Zero technical lead Ben Hawkes stated: “While we only saw an exploit for Chrome, other users of FreeType should adopt the fix discussed here.”

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Contactless payments are hot, but are they secure?

The trend to contactless payments has accelerated as retailers and consumers adjust to COVID-19 realities.…

7 hours ago

Season’s fleecings: CISA warns on holiday shopping scams

The U.S. Department of Homeland Security is warning that online holiday shopping scams may be…

11 hours ago

Azure DNS: Using Azure DevOps to protect public DNS zones

This in-depth tutorial shows you how to use features available in Azure DevOps to boost…

14 hours ago

Report: Baidu Android apps had potential to expose data

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

1 day ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

2 days ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

4 days ago