Researchers with Google's Threat Analysis Group (TAG) and Project Zero discovered a zero-day exploit (CVE-2020-16009) last week. On Monday, Google released Chrome patch 86.0.4240.183 for Windows, macOS, and Linux that addresses the issue.
"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the patch notes read.
A few people noticed that CVE-2020-16010 wasn't included in the link above. That's because Chrome has separate release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK--- Ben Hawkes (@benhawkes) November 3, 2020
Google Project Zero's technical lead Ben Hawkes, tweeted that the flaw allows attackers to perform RCE (remote code execution) attacks. Hawkes also mentioned a critical update for the Android version of Chrome that patches a "sandbox escape" on Android phones (CVE-2020-16010).
These two zero-day flaws come right on the heels of two others that Google recently fixed.
The Hacker News reported that CVE-2020-15999---a heap buffer overflow in font-rendering package Freetype---was being actively exploited just two weeks ago. Another vulnerability (CVE-2020-17087) found late last week caused a buffer overflow in the Windows Kernel Cryptography Driver that created a sandbox escape. It, too, was being actively exploited.
The 86.0.4240.183 update includes several other high priority security patches as well. Google recommends updating both the desktop and Android versions of Chrome immediately.
Image credit: Evan Lorne