Security News > 2020 > February > Google fixes another Chrome zero-day exploited in the wild
For the third time in a year, Google has fixed a Chrome zero-day that is being actively exploited by attackers in the wild.
No details have been shared about the attacks and about the flaw itself, apart from the short description that says it's a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.
The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.
They released the exploit - which works only if Chrome's sandbox is disabled or can be bypassed via another vulnerability - and pointed out that it's a good thing Google has managed to reduce Chrome's "Patch gap" to two weeks.
The Chrome release fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/YQ3U9Q_r97g/
Related news
- Google fixes Chrome zero-day exploited in espionage campaign (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google Chrome disables uBlock Origin for some in Manifest v3 rollout (source)
- Google fixes Android zero-day exploited by Serbian authorities (source)
- Google Cuts Off uBlock Origin on Chrome as Firefox Stands Firm on Ad Blockers (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- After Chrome patches zero-day used to target Russians, Firefox splats similar bug (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-27 | CVE-2020-6418 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |