Google fixes two more Chrome zero-days that were under active exploit
Both desktop and Android versions are affected. …
reader comments
38 with 27 posters participating, including story author
Google has patched two zero-day vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.
According to a Monday tweet from Ben Hawkes, the head of Google’s Project Zero vulnerability and exploit research arm, CVE-2020-16009, as the first vulnerability is tracked, is a remote code-execution bug in V8, Chrome’s open source JavaScript engine. A second security flaw, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allows attackers to escape the Android sandbox, suggesting that hackers may have been using it in combination with a separate vulnerability.
Hawkes didn’t provide additional details, such as what desktop versions of Chrome were actively targeted, who the victims were, or how long the attacks had been going on. It also wasn’t clear if the same attack group was responsible for all three exploits. CVE-2020-16009 was in part discovered by a member of Google’s Threat Analysis Group, which focuses on government-backed hacking, suggesting that exploits of that vulnerability may be the work of a nation-state. Project Zero was involved in the discovery of all three of the zero-days.
actively exploited vulnerability in Freetype, which Chrome and other, non-Google apps use to render fonts. To gain code-execution capabilities, hackers were combining exploits with a separate one that targeted currently unpatched bug in Windows 10 and Windows
Continue reading – Article source