Google was recently alerted by one of its own researchers to a memory corruption vulnerability in its Chrome browser. The flaw, a zero-day cataloged as CVE-2020-15999, was uncovered by Sergei Glazunov, who works with Google’s internal security team Project Zero. This was confirmed in a blog post by Google that acknowledges the bug finders who brought the flaws to their attention. The blog post specifically speaks of multiple vulnerabilities that Google has patched, and in the case of CVE-2020-15999, post author Prudhvikumar Bommana stated the following:
Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.
The memory corruption vulnerability, which has a high severity ranking on the Common Vulnerability Scoring System (CVSS), results from a heap buffer overflow in FreeType. FreeType is an open-source software development library for fonts that has a large number of users on Chrome.
Google patched this Chrome vulnerability quickly after being notified, but the presence of the flaw in the wild is a cause for concern. It is not known how long this zero-day existed, but these types of exploits can allow a black hat hacker to potentially gain control of the browser and even your machine.
For this reason, it is recommended that you update Chrome to version 86.0.4240.111 immediately. Experts took to Twitter to warn their followers of the consequences of ignoring this update. Sam Stepanyan, a leader of OWASP’s London chapter, warned Twitter followers that “attackers can execute arbitrary code on your computer.”
There is not much publicly available information indicating just how many people have been attacked. It is important to keep in mind that, while Chrome’s version of FreeType has been patched, other variants of the software development library may be vulnerable. In a tweet, Google Project Zero technical lead Ben Hawkes stated: “While we only saw an exploit for Chrome, other users of FreeType should adopt the fix discussed here.”
Featured image: Pixabay