Google rolls out Chrome security update to patch active zero-day vulnerability

Chrome users can update to v86.0.4240.111 via the browser's built-in update function. And we reccomend you do it right now. 

By: HT TECH
| Updated on: Oct 21 2020, 16:00 IST
Project Zero, which is one of Google’s internal security teams, discovered these attacks that were leveraging the FreeType bug.
Project Zero, which is one of Google’s internal security teams, discovered these attacks that were leveraging the FreeType bug. (Forbes)

Google has rolled out Chrome version 86.0.4240.111 which brings about security fixes, including a patch for an actively exploited zero-day vulnerability.

As per the ZDNet report, the zero-day vulnerability is tracked as CVE-2020-15999 and is described as “a memory corruption bug in the FreeType font rendering library that's included with standard Chrome distributions”.

You may be interested in

MobilesTablets Laptops
25% OFF
Google Pixel 128GB
  • Black
  • 4 GB RAM
  • 128 GB Storage
37% OFF
Google Pixel 7 Pro 5G
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
7% OFF
Google Pixel 7 5G
  • Obsidian
  • 8 GB RAM
  • 128 GB Storage
11% OFF
Google Pixel 7A
  • Charcoal
  • 8 GB RAM
  • 128 GB Storage

Project Zero, which is one of Google's internal security teams, discovered these attacks that were leveraging the FreeType bug. Project Zero team lead Ben Hawkes also pointed out a threat actor that was abusing this FreeType bug to mount attacks against Chrome users.

Also read
Looking for a smartphone? To check mobile finder click here.

Hawkes has urged all app vendors to use the same FreeType library to update their software in case the threat actor “decides to shift attacks against other apps”.

A patch for this bug has been included in FreeType 2.10.4 and has been released.

Also Read: Google Chrome's Dinosaur game has a new rival, and it is actually better

Chrome users can update to v86.0.4240.111 via the browser's built-in update function. Go to Chrome ‘Menu', click on ‘Help' and then go the ‘About Google Chrome' option for the update.

ZDNet states that the finer details about CVE-2020-15999 active exploitation attempts have not been made public yet and that Google usually “sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers' hands”.

However, since the patch for this zero-day is visible in the source code of FreeType, which is an open source project, it's “expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks”.

CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months. The first two were CVE-2019-13720 (which happened in October 2019) and CVE-2020-6418 (which happened in February 2020).

Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 21 Oct, 16:00 IST
NEXT ARTICLE BEGINS