PSA: Over the last couple of weeks, Google has been busy patching several actively exploited security holes in its Chrome browser. The latest uses a flaw In the desktop version's V8 JavaScript engine to execute RCE attacks. A separate bug in the Android build allows for a sandbox escape.

Researchers with Google's Threat Analysis Group (TAG) and Project Zero discovered a zero-day exploit (CVE-2020-16009) last week. On Monday, Google released Chrome patch 86.0.4240.183 for Windows, macOS, and Linux that addresses the issue.

The patch notes do not divulge details regarding the security hole other than saying it has to do with an "inappropriate implementation" in the V8 JavaScript rendering engine. It also mentions the weakness is already being actively exploited.

"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the patch notes read.

Google Project Zero's technical lead Ben Hawkes, tweeted that the flaw allows attackers to perform RCE (remote code execution) attacks. Hawkes also mentioned a critical update for the Android version of Chrome that patches a "sandbox escape" on Android phones (CVE-2020-16010).

These two zero-day flaws come right on the heels of two others that Google recently fixed.

The Hacker News reported that CVE-2020-15999—a heap buffer overflow in font-rendering package Freetype—was being actively exploited just two weeks ago. Another vulnerability (CVE-2020-17087) found late last week caused a buffer overflow in the Windows Kernel Cryptography Driver that created a sandbox escape. It, too, was being actively exploited.

The 86.0.4240.183 update includes several other high priority security patches as well. Google recommends updating both the desktop and Android versions of Chrome immediately.

Image credit: Evan Lorne