Google has released Chrome version 86.0.4240.111 earlier today to deploy security fixes, including a patch for an actively exploited zero-day vulnerability!
The zero-day is tracked as CVE-2020-15999 and is described as a memory corruption bug in the FreeType font rendering library that's included with standard Chrome distributions.
In-the-wild attacks leveraging this FreeType bug were discovered by security researchers from Project Zero, one of Google's internal security teams.
According to Project Zero team lead Ben Hawkes, a threat actor was spotted abusing this FreeType bug to mount attacks against Chrome users.
Hawkes now urged other app vendors who use the same FreeType library to update their software as well, in case the threat actor decides to shift attacks against other apps.
A patch for this bug has been included in FreeType 2.10.4, released earlier today.
Chrome users can updated to v86.0.4240.111 via the browser's built-in update function (see Chrome menu, Help option, and About Google Chrome section).
Excellent work Chrome team on a super fast response.
Google usually sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers' hands.
However, since the patch for this zero-day is visible in the source code of FreeType, an open source project, it's expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks.
CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months.
Google removes two Chrome ad blockers caught collecting user data.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters
You may unsubscribe from these newsletters at any time
You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters
You may unsubscribe at any time
By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time
You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy
data
NSA urges US public and private sector to apply patches or mitigations to prevent attacks
attacks
Google removes two Chrome ad blockers caught collecting user data
Nano Adblocker and Nano Defender have been removed from the official Chrome Web Store
Seven mobile browsers vulnerable to address bar spoofing attacks
Vulnerabilities allow attackers to trick users into accessing malicious sites while showing the incorrect URL in the address bar
Barnes & Noble confirms cyberattack, ransomware group leaks allegedly stolen data
Mobile User Agreement
UK
Australia
France
Germany
Russia
India
Canada