Google rolls out Chrome security update to patch active zero-day vulnerability
Chrome users can update to v86.0.4240.111 via the browser's built-in update function. And we reccomend you do it right now.
Google has rolled out Chrome version 86.0.4240.111 which brings about security fixes, including a patch for an actively exploited zero-day vulnerability.
As per the ZDNet report, the zero-day vulnerability is tracked as CVE-2020-15999 and is described as “a memory corruption bug in the FreeType font rendering library that's included with standard Chrome distributions”.
Project Zero, which is one of Google’s internal security teams, discovered these attacks that were leveraging the FreeType bug. Project Zero team lead Ben Hawkes also pointed out a threat actor that was abusing this FreeType bug to mount attacks against Chrome users.
Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh— Ben Hawkes (@benhawkes) October 20, 2020
Hawkes has urged all app vendors to use the same FreeType library to update their software in case the threat actor “decides to shift attacks against other apps”.
A patch for this bug has been included in FreeType 2.10.4 and has been released.
Chrome users can update to v86.0.4240.111 via the browser's built-in update function. Go to Chrome ‘Menu’, click on ‘Help’ and then go the ‘About Google Chrome’ option for the update.
ZDNet states that the finer details about CVE-2020-15999 active exploitation attempts have not been made public yet and that Google usually “sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers' hands”.
However, since the patch for this zero-day is visible in the source code of FreeType, which is an open source project, it's “expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks”.
CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months. The first two were CVE-2019-13720 (which happened in October 2019) and CVE-2020-6418 (which happened in February 2020).