Chrome zero-day V8 vulnerability found being actively exploited

[Cal Jeffrey]

PSA: Over the last couple of weeks, Google has been busy patching several actively exploited security holes in its Chrome browser. The latest uses a flaw In the desktop version's V8 JavaScript engine to execute RCE attacks. A separate bug in the Android build allows for a sandbox escape.

Researchers with Google's Threat Analysis Group (TAG) and Project Zero discovered a zero-day exploit (CVE-2020-16009) last week. On Monday, Google released Chrome patch 86.0.4240.183 for Windows, macOS, and Linux that addresses the issue.

The patch notes do not divulge details regarding the security hole other than saying it has to do with an "inappropriate implementation" in the V8 JavaScript rendering engine. It also mentions the weakness is already being actively exploited.

"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the patch notes read.

A few people noticed that CVE-2020-16010 wasn't included in the link above. That's because Chrome has separate release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK

— Ben Hawkes (@benhawkes) November 3, 2020

Google Project Zero's technical lead Ben Hawkes, tweeted that the flaw allows attackers to perform RCE (remote code execution) attacks. Hawkes also mentioned a critical update for the Android version of Chrome that patches a "sandbox escape" on Android phones (CVE-2020-16010).

These two zero-day flaws come right on the heels of two others that Google recently fixed.

The Hacker News reported that CVE-2020-15999—a heap buffer overflow in font-rendering package Freetype—was being actively exploited just two weeks ago. Another vulnerability (CVE-2020-17087) found late last week caused a buffer overflow in the Windows Kernel Cryptography Driver that created a sandbox escape. It, too, was being actively exploited.

The 86.0.4240.183 update includes several other high priority security patches as well. Google recommends updating both the desktop and Android versions of Chrome immediately.

Image credit: Evan Lorne

Permalink to story.

https://www.techspot.com/news/87433-chrome-zero-day-v8-vulnerability-found-actively-exploited.html

 

[BadThad]

Please make laws that are MUCH tougher on the scum that get caught using exploits and stealing data!

 

[Uncle Al]

I'm just unhappy that Chrome doesn't automatically check for updates & patches on boot up, or at least have the ability to add this in settings so the user can decide to turn it on or leave it off ......

 

[Markoni35]

I've found another Chrome zero-day vulnerability. It's called "Chrome" and "Chromium". There's no fix other than removing it completely. Which isn't that easy, since the new version of Microsoft Edge browser is using Chromium internally. Which means it now comes with Windows 10. Thank you Satya Nadella. I hope they fire you soon.